Skip Menu |
Report information
Id: 128984
Status: open
Priority: 0/
Queue: perl6

Owner: Nobody
Requestors: nxadm <nxadm [at] apt-get.be>
Cc:
AdminCc:

Severity: (no value)
Tag: (no value)
Platform: (no value)
Patch Status: (no value)
VM: (no value)



Subject: Feature request (wontfix?): perl -c executes BEGIN and CHECK blocks
Download (untitled) / with headers
text/plain 466b
Hi, This is more of a post-it note than a real feature request, but here it goes (related with #128983) Tools like vim-syntastic and atom use 'perl6-c' (the only valid linter for now) to report syntax errors. Because "perl6 -c" executes code (BEGIN and CHECK blocks as documented), this is a security concern for external code. Because of this, the perl 5 (perl -c) and perl 6 syntax checkers are disabled by default and must be explicitly enabled by the user. C.
Date: Thu, 18 Aug 2016 10:38:57 -0400
From: Brandon Allbery <allbery.b [...] gmail.com>
CC: bugs-bitbucket [...] rt.perl.org
To: perl6-compiler <perl6-compiler [...] perl.org>
Subject: Re: [perl #128984] Feature request (wontfix?): perl -c executes BEGIN and CHECK blocks
Download (untitled) / with headers
text/plain 842b
On Thu, Aug 18, 2016 at 9:13 AM, Claudio <perl6-bugs-followup@perl.org> wrote:
Show quoted text
Tools like vim-syntastic and atom use 'perl6-c' (the only valid linter for now) to report syntax errors. Because "perl6 -c" executes code (BEGIN and CHECK blocks as documented), this is a security concern for external code.

The problem is that you probably can't parse the code successfully if you can't run BEGIN blocks. While this is currently less true of perl 6 code in the wild, it's actually even worse in potential than perl 5's ability to mutate its parser because a module can implement entire new languages.

--
brandon s allbery kf8nh                               sine nomine associates
allbery.b@gmail.com                                  ballbery@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net
From: "Patrick R. Michaud" <pmichaud [...] pobox.com>
CC: perl6-compiler <perl6-compiler [...] perl.org>, bugs-bitbucket [...] rt.perl.org
Date: Thu, 18 Aug 2016 11:20:23 -0500
Subject: Re: [perl #128984] Feature request (wontfix?): perl -c executes BEGIN and CHECK blocks
To: Brandon Allbery <allbery.b [...] gmail.com>
On Thu, Aug 18, 2016 at 10:38:57AM -0400, Brandon Allbery wrote: Show quoted text
> On Thu, Aug 18, 2016 at 9:13 AM, Claudio <perl6-bugs-followup@perl.org> > wrote: >
> > Tools like vim-syntastic and atom use 'perl6-c' (the only valid linter for > > now) to report syntax errors. Because "perl6 -c" executes code (BEGIN and > > CHECK blocks as documented), this is a security concern for external code.
> > The problem is that you probably can't parse the code successfully if you > can't run BEGIN blocks. While this is currently less true of perl 6 code in > the wild, it's actually even worse in potential than perl 5's ability to > mutate its parser because a module can implement entire new languages.
Also, many things in Perl 6 get executed at BEGIN time even if they're not explicitly in a BEGIN block. Constant and class declarations come to mind, but I'm sure there are more. For example: $ cat xyz.p6 use v6; say "1: mainline"; constant $a = say "2: constant"; BEGIN { say "3: BEGIN"; } $ ./perl6 xyz.p6 2: constant 3: BEGIN 1: mainline Pm
Date: Fri, 19 Aug 2016 00:18:09 +0200
From: Claudio <nxadm [...] apt-get.be>
Subject: Re: [perl #128984] Feature request (wontfix?): perl -c executes BEGIN and CHECK blocks
To: perl6-bugs-followup [...] perl.org
Download (untitled) / with headers
text/plain 1.4k
On Thu, Aug 18, 2016 at 6:21 PM, Patrick R. Michaud via RT <perl6-bugs-followup@perl.org> wrote:
Show quoted text
On Thu, Aug 18, 2016 at 10:38:57AM -0400, Brandon Allbery wrote:
> On Thu, Aug 18, 2016 at 9:13 AM, Claudio <perl6-bugs-followup@perl.org>
> wrote:
>
> > Tools like vim-syntastic and atom use 'perl6-c' (the only valid linter for
> > now) to report syntax errors. Because "perl6 -c" executes code (BEGIN and
> > CHECK blocks as documented), this is a security concern for external code.
>
> The problem is that you probably can't parse the code successfully if you
> can't run BEGIN blocks. While this is currently less true of perl 6 code in
> the wild, it's actually even worse in potential than perl 5's ability to
> mutate its parser because a module can implement entire new languages.

Also, many things in Perl 6 get executed at BEGIN time even if they're
not explicitly in a BEGIN block.  Constant and class declarations come
to mind, but I'm sure there are more.

For example:

  $ cat xyz.p6
  use v6;

  say "1: mainline";
  constant $a = say "2: constant";
  BEGIN { say "3: BEGIN"; }

  $ ./perl6 xyz.p6
  2: constant
  3: BEGIN
  1: mainline

Patrick,

Taking Brandon's answer in considiration, does this mean that no perl6 code could be parsed as correct without (implicit) BEGIN blocks or that it will only work in -let's say- 99% of the time (file without a begin block)?

C.
Date: Thu, 18 Aug 2016 19:24:32 -0400
CC: Carl Mäsak via RT <perl6-bugs-followup [...] perl.org>
From: Brandon Allbery <allbery.b [...] gmail.com>
Subject: Re: [perl #128984] Feature request (wontfix?): perl -c executes BEGIN and CHECK blocks
To: Claudio <nxadm [...] apt-get.be>
Download (untitled) / with headers
text/plain 807b

On Thu, Aug 18, 2016 at 6:18 PM, Claudio <nxadm@apt-get.be> wrote:
Show quoted text
Taking Brandon's answer in considiration, does this mean that no perl6 code could be parsed as correct without (implicit) BEGIN blocks or that it will only work in -let's say- 99% of the time (file without a begin block)?

I did say "while this is less true for perl 6 code in the wild" --- in perl 5, disabling BEGIN blocks means losing all "use" directives. But for perl 6, you still have to worry about classes not being defined properly because their definitions are run (!) at compile time.

--
brandon s allbery kf8nh                               sine nomine associates
allbery.b@gmail.com                                  ballbery@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net
Date: Fri, 19 Aug 2016 17:08:16 +0200
From: Claudio <nxadm [...] apt-get.be>
To: perl6-bugs-followup [...] perl.org
Subject: Re: [perl #128984] Feature request (wontfix?): perl -c executes BEGIN and CHECK blocks
Download (untitled) / with headers
text/plain 1.7k
Thank you for the clarification. That means that at the moment, most files (i.e. the ones written in OO) will have a have errors without a BEGIN block (i.e. the use of self).

As 'perl6 -c' being for now the *only* way to check the syntax of a code file, the security concerns should not be easily disregarded. In the best case, users will have to jump through loops to have the functionality enabled 'at their own risk', in the worst case people will blame Perl 6 for stupid/dangerous done to their environment while "reading a code file with their editor".

I am just thinking out loud, but could a different restricted core binary with only a subset of the code provide the necessary parsing capabilities?
An alternative could be external tools implementing the parsing/linting of code (maybe something using DrForr's future Perl6::Tidy?), but in that case we would risk to have something playing catch-up to new Perl 6 releases.


C.

On Fri, Aug 19, 2016 at 1:25 AM, Brandon Allbery via RT <perl6-bugs-followup@perl.org> wrote:
Show quoted text
On Thu, Aug 18, 2016 at 6:18 PM, Claudio <nxadm@apt-get.be> wrote:

> Taking Brandon's answer in considiration, does this mean that no perl6
> code could be parsed as correct without (implicit) BEGIN blocks or that it
> will only work in -let's say- 99% of the time (file without a begin block)?


I did say "while this is less true for perl 6 code in the wild" --- in perl
5, disabling BEGIN blocks means losing all "use" directives. But for perl
6, you still have to worry about classes not being defined properly because
their definitions are run (!) at compile time.

--
brandon s allbery kf8nh                               sine nomine associates
allbery.b@gmail.com                                  ballbery@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net




This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org