From ff8ba9c9d98798560ba7874ad5a1fc72a1407ba6 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Mon, 22 Jan 2018 10:52:13 +0100 Subject: [PATCH] avoid harmful '<>' pattern, explicitly read from STDIN Fixes problems in CLIHandler using the code pattern: while (my $line = <>) { ... } For why this causes only _now_ problems lets first look how <> behaves: "The null filehandle <> is special: [...] Input from <> comes either from standard input, or from each file listed on the command line. Here's how it works: the first time <> is evaluated, the @ARGV array is checked, and if it is empty, $ARGV[0] is set to "-" , which when opened gives you standard input. The @ARGV array is then processed as a list of filenames." - 'perldoc perlop' Recent changes in the CLIHandler code changed how we modfiied @ARGV Earlier we assumed that the first argument must be the command and thus shifted it out of @ARGV, now we can have multiple levels of (sub)commands. This change also changed how we handle @ARGV, we do not unshift anything but go through the arguments until we got to the final command and copy the rest of @ARGV as we know that this must be the commandos arguments. For '<>' this means that ARGV was still fully populated and perl tried to open element as a file, which naturally failed. Thus the change in pve-common only exposed this 'dangerous' code pattern. Signed-off-by: Thomas Lamprecht --- PVE/APIClient/LWP.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PVE/APIClient/LWP.pm b/PVE/APIClient/LWP.pm index 20e3b56..31df3c5 100755 --- a/PVE/APIClient/LWP.pm +++ b/PVE/APIClient/LWP.pm @@ -146,7 +146,7 @@ sub manual_verify_fingerprint { "X509 SHA256 key fingerprint is $fingerprint.\n" . "Are you sure you want to continue connecting (yes/no)? "; - my $answer = <>; + my $answer = ; my $valid = ($answer =~ m/^\s*yes\s*$/i) ? 1 : 0; -- 2.39.2