Hi, 2016-12-09 18:26 GMT+09:00 Philip Hands <p...@hands.com>: > > open(PIPE, "-|") || exec '@globalpath@', '--result=ctags-xid', > > $flags, $pattern; > > Is it not the case that this last line forks and execs global, passing > $pattern as a parameter to global's -e option, and that $pattern is > untrusted input?
Yes. $patern is untrusted input. > Looking at global.c it seems that before it is passed on to popen, it is > run through quote_shell() which quotes any single-quotes in the string. > > That seems to deal with Ron's assertion that it's exploitable, although > I have a slight feeling of impending doom about relying upon just this. I agree. I uses popen() in global.c to call idutils(1). I would like to rewrite it in near future. > Would it not be wise to make the network-facing perl code runnable with > strict and taint turned on, if only to stop people reacting with horror > at first glance? > > I presume patches would be welcome? Of course! Thank you. Regargs, Shigio -- Shigio YAMAGUCHI <shi...@gnu.org> PGP fingerprint: D1CB 0B89 B346 4AB6 5663 C4B6 3CA5 BBB3 57BE DDA3