[pve-devel] applied: avoid possible harmful <> pattern when reading from STDIN

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Jan 22 14:59:21 CET 2018


applied all patches

On Mon, Jan 22, 2018 at 10:52:10AM +0100, Thomas Lamprecht wrote:
> Fixes problems in CLIHandler using the code pattern:
> 
> while (my $line = <>) {
>     ...
> }
> 
> For why this causes only _now_ problems lets first look how <>
> behaves:
> 
> "The null filehandle <> is special: [...] Input from <> comes either
> from standard input, or from each file listed on the command line.
> Here's how it works: the first time <> is evaluated, the @ARGV array
> is checked, and if it is empty, $ARGV[0] is set to "-" , which when
> opened gives you standard input.  The @ARGV array is then processed
> as a list of filenames." - 'perldoc perlop'
> 
> Recent changes in the CLIHandler code changed how we modfiied @ARGV
> Earlier we assumed that the first argument must be the command and
> thus shifted it out of @ARGV, now we can have multiple levels of
> (sub)commands. This change also changed how we handle @ARGV, we do
> not unshift anything but go through the arguments until we got to
> the final command and copy the rest of @ARGV as we know that this
> must be the commandos arguments.
> 
> For '<>' this means that ARGV was still fully populated and perl
> tried to open element as a file, which naturally failed.
> Thus the change in pve-common only exposed this 'dangerous' code
> pattern.
> 
> After I saw that all usages of this pattern in our code base are not
> required, and even rather dangerous I assembled this series by using:
> 
> find -iname '*.pm' -exec sed -i 's/= <>/= <STDIN>/g' {} \;




More information about the pve-devel mailing list