You want to open a file with a funny filename, like "-"
or one that starts with <, >, or |
, has leading or trailing whitespace; or ends with |
. You don't want these to trigger open
's do-what-I-mean behavior, since in this case, that's not what you mean.
$filename =~ s#^(\s)#./$1#; open(HANDLE, "< $filename\0") or die "cannot open $filename : $!\n";
Or simply use sysopen
:
sysopen(HANDLE, $filename, O_RDONLY) or die "cannot open $filename: $!\n";
The open
function uses a single string to determine both the filename and the mode - the way the file is to be opened. If your filename begins with the characters used to indicate the mode, open
can easily do something unexpected. Imagine the following code:
$filename = shift @ARGV; open(INPUT, $filename) or die "Couldn't open $filename : $!\n";
If the user gave ">/etc/passwd"
as the filename on the command line, this code would attempt to open /etc/passwd for writing - definitely unsafe! We can try to give an explicit mode, say for writing:
open(OUTPUT, ">$filename") or die "Couldn't open $filename for writing: $!\n";
but even this would let the user give a filename of "
>data"
and the code would append to the file data
instead of erasing the old contents.
The easiest solution is sysopen
, which takes the mode and filename as separate arguments:
use Fcntl; # for file constants sysopen(OUTPUT, $filename, O_WRONLY|O_TRUNC) or die "Can't open $filename for writing: $!\n";
To get the same effect with open
requires chicanery if the filename has leading or trailing whitespace:
$file =~ s#^(\s)#./$1#; open(OUTPUT, "> $file\0") or die "Couldn't open $file for OUTPUT : $!\n";
The substitution protects initial whitespace (this cannot occur in fully specified filenames like "/etc/passwd"
, but only in relative filenames like "
passwd"
). The NULL byte ("\0"
) isn't considered part of the filename by open,
but it does prevent any trailing whitespace from being ignored.
The magic way open
interprets filenames is nearly always a good thing. You never have to use the special case of "-"
to mean standard input or output. If you write a filter and use a simple open
, users can pass "gzip
-dc
bible.gz|"
as a filename, and your filter will automatically run the decoding program.
It's only those programs that run under special privilege that should worry about security with open
. When designing programs that will be run on someone else's behalf, like setuid programs or CGI scripts, the prudent programmer always considers whether the user can supply their own filename and thereby cajole what would otherwise appear to be a normal open
used for simple reading into overwriting a file or even running another program. Perl's -T command-line flag to enable taint-checking would take care of this.
The open
and sysopen
functions in perlfunc (1) and Chapter 3 of Programming Perl; Recipe 7.1; Recipe 7.7; Recipe 16.2; Recipe 19.4; Recipe 19.6