emacs-flymake-perlcritic icon indicating copy to clipboard operation
emacs-flymake-perlcritic copied to clipboard

Published 20 hours ago verified publisher icon flymake

don't run perl -c

Open petere opened this issue 13 years ago • 3 comments

Running perl -c on unknown files is dangerous because it executes BEGIN blocks, which could contain arbitrary code.

This module is currently a security risk.

petere avatar Oct 08 '12 12:10 petere

This is a vulnerability common to the base Flymake, for clarity I've added a warning to the README about the issue, but the intent of this library is to provide additive behaviour over basic Flymake, rather than removing existing behaviour.

I do accept that it's a concern though, I think I'll look at providing a configuration option to control the running of "perl -c", I can default that to being disabled and place a note in the docs saying that if you need/want the base behaviour of Flymake you can enable it.

Sorry for the slow response, haven't had time to keep up with my open source projects this month, and thanks for the comments.

illusori avatar Oct 28 '12 23:10 illusori

I'm sorry, I wasn't aware that the built-in flymake already does that. I will have to redirect my complaint there then. In the meantime, I think it would be a good idea to provide an option (possibly default), to only run perlcritic.

petere avatar Nov 09 '12 05:11 petere

Now that #4 has been merged, it looks like this issue can be closed.

Since this plugin uses the new Flymake backend feature, perl -c no longer exists. Users who need syntax checking with perl -c can use the functionality provided by the perl-mode.

gemmaro avatar Mar 03 '24 03:03 gemmaro