You want to open a file with a funny filename, like
"-" or one that starts with <, >, or
|, has leading or trailing whitespace; or ends with
|. You don't want these to trigger
open's do-what-I-mean behavior, since in this case, that's not what you mean.
$filename =~ s#^(\s)#./$1#; open(HANDLE, "< $filename\0") or die "cannot open $filename : $!\n";
Or simply use
sysopen(HANDLE, $filename, O_RDONLY) or die "cannot open $filename: $!\n";
open function uses a single string to determine both the filename and the mode - the way the file is to be opened. If your filename begins with the characters used to indicate the mode,
open can easily do something unexpected. Imagine the following code:
$filename = shift @ARGV; open(INPUT, $filename) or die "Couldn't open $filename : $!\n";
If the user gave
">/etc/passwd" as the filename on the command line, this code would attempt to open /etc/passwd for writing - definitely unsafe! We can try to give an explicit mode, say for writing:
open(OUTPUT, ">$filename") or die "Couldn't open $filename for writing: $!\n";
but even this would let the user give a filename of
data" and the code would append to the file
data instead of erasing the old contents.
The easiest solution is
sysopen, which takes the mode and filename as separate arguments:
use Fcntl; # for file constants sysopen(OUTPUT, $filename, O_WRONLY|O_TRUNC) or die "Can't open $filename for writing: $!\n";
To get the same effect with
open requires chicanery if the filename has leading or trailing whitespace:
$file =~ s#^(\s)#./$1#; open(OUTPUT, "> $file\0") or die "Couldn't open $file for OUTPUT : $!\n";
The substitution protects initial whitespace (this cannot occur in fully specified filenames like
"/etc/passwd", but only in relative filenames like
passwd"). The NULL byte (
"\0") isn't considered part of the filename by
open, but it does prevent any trailing whitespace from being ignored.
The magic way
open interprets filenames is nearly always a good thing. You never have to use the special case of
"-" to mean standard input or output. If you write a filter and use a simple
open, users can pass
bible.gz|" as a filename, and your filter will automatically run the decoding program.
It's only those programs that run under special privilege that should worry about security with
open. When designing programs that will be run on someone else's behalf, like setuid programs or CGI scripts, the prudent programmer always considers whether the user can supply their own filename and thereby cajole what would otherwise appear to be a normal
open used for simple reading into overwriting a file or even running another program. Perl's -T command-line flag to enable taint-checking would take care of this.