New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
local code execution flaw in win32/bin/search.pl #15715
Comments
From @lightseyI noticed this while cleaning up two-argument open usage in blead. This obscure script uses two-argument open to read files in the search Example: jd@slug:~/ $ echo xyzzy> 'testme;wall hello world|' If this isn't considered significant enough to treat as a vulnerability, let me |
From @tonycozOn Mon, 14 Nov 2016 07:51:50 -0800, john@nixnuts.net wrote:
search.pl is only installed on Win32 and you can't create files whose names contain | or >, so I don't think it's a security issue. The real fix is probably just to remove it. Tony |
The RT System itself - Status changed from 'new' to 'open' |
From @xsawyerxOn Wed, Nov 16, 2016 at 1:03 AM, Tony Cook via RT
I've been looking at it. It reports to be a find + grep, but better Does anyone object to removing it? It could be moved onto CPAN (and Tony, if you approve, I can email on the list plans to remove it and |
From @lightseyOn Wed, 2016-11-16 at 01:32 -0800, Sawyer X via RT wrote:
I wasn't aware that '|' is a reserved filename character on Windows. Since that Removal sounds like a good solution to me. |
From @tonycozOn Wed, 16 Nov 2016 01:32:25 -0800, xsawyerx@gmail.com wrote:
It's fine with me. Tony |
From @tonycozOn Wed, 16 Nov 2016 06:51:08 -0800, john@nixnuts.net wrote:
This ticket is now public.
The discussion at: http://www.nntp.perl.org/group/perl.perl5.porters/2016/11/msg241072.html concluded with removing it in 5.30. Tony |
Migrated from rt.perl.org#130100 (status was 'open')
Searchable as RT130100$
The text was updated successfully, but these errors were encountered: