[{"data":1,"prerenderedAt":1768},["ShallowReactive",2],{"global-navigation":3,"page-\u002Fsei-cert-perl-coding-standard\u002Frules\u002Finput-validation-and-data-sanitization-ids\u002Fids34-pl":28,"surround-\u002Fsei-cert-perl-coding-standard\u002Frules\u002Finput-validation-and-data-sanitization-ids\u002Fids34-pl":1391,"sidebar-sei-cert-perl-coding-standard":1397},[4,8],{"title":5,"path":6,"_path":6,"fromAppConfig":7},"Home","\u002F",true,{"title":9,"path":10,"children":11,"_path":27,"fromAppConfig":7},"Coding Standards","\u002Fcoding-standards\u002F",[12,15,18,21,24],{"title":13,"path":14},"Android Coding Standard","\u002Fandroid-secure-coding-standard\u002F",{"title":16,"path":17},"C Coding Standard","\u002Fsei-cert-c-coding-standard\u002F",{"title":19,"path":20},"C++ Coding Standard","\u002Fsei-cert-cpp-coding-standard\u002F",{"title":22,"path":23},"Java Coding Standard","\u002Fsei-cert-oracle-coding-standard-for-java\u002F",{"title":25,"path":26},"Perl Coding Standard","\u002Fsei-cert-perl-coding-standard\u002F","\u002Fcoding-standards",{"id":29,"title":30,"body":31,"description":41,"extension":1382,"meta":1383,"navigation":7,"path":1387,"seo":1388,"stem":1389,"__hash__":1390},"content\u002F7.sei-cert-perl-coding-standard\u002F3.rules\u002F5.input-validation-and-data-sanitization-ids\u002F6.ids34-pl.md","IDS34-PL. Do not pass untrusted, unsanitized data to a command interpreter",{"type":32,"value":33,"toc":1366},"minimark",[34,38,42,76,86,95,103,114,226,229,303,309,367,371,377,487,490,527,530,534,539,639,650,656,662,666,674,810,813,816,820,835,908,914,925,988,999,1005,1014,1100,1106,1110,1113,1179,1183,1239,1243,1294,1298,1338,1341,1362],[35,36,30],"h1",{"id":37},"ids34-pl-do-not-pass-untrusted-unsanitized-data-to-a-command-interpreter",[39,40,41],"p",{},"External programs are commonly invoked to perform a function required by the overall system. This is a form of reuse and might even be considered a crude form of component-based software engineering. Command and argument injection vulnerabilities occur when an application fails to sanitize untrusted input and uses it in the execution of external programs.",[39,43,44,45,49,50,53,54,57,58,60,61,63,64,67,68,71,72,75],{},"The ",[46,47,48],"code",{},"exec()"," built-in function is the standard mechanism for executing system commands; it is a wrapper around the POSIX ",[46,51,52],{},"exec"," family of system calls. The ",[46,55,56],{},"system()"," built-in function is similar to ",[46,59,52],{}," , but it takes a single string, whereas ",[46,62,48],{}," takes a list. The ",[46,65,66],{},"qx"," operator, often represented by encasing a command in backquotes ( ",[46,69,70],{},"   ``  "," ), can also be used to execute an arbitrary command. Finally, the ",[46,73,74],{},"open()"," function can also execute commands in a subprocess and either send data to them or fetch data from them (but not both).",[39,77,78,79,82,83,85],{},"Command injection attacks cannot succeed unless a command interpreter is explicitly invoked. However, argument injection attacks can occur when arguments have spaces, double quotes, and so forth, or when they start with a ",[46,80,81],{},"-"," or ",[46,84,6],{}," to indicate a switch.",[39,87,88,89,94],{},"This rule is a specific instance of ",[90,91,93],"a",{"href":92},"\u002Fsei-cert-perl-coding-standard\u002Frules\u002Finput-validation-and-data-sanitization-ids\u002Fids33-pl","IDS33-PL. Sanitize untrusted data passed across a trust boundary"," . Any string data that originates from outside the program's trust boundary must be sanitized before being executed as a command on the current platform.",[96,97,99,100,102],"h2",{"id":98},"noncompliant-code-example-open","Noncompliant Code Example ( ",[46,101,74],{}," )",[39,104,105,106,108,109,113],{},"This noncompliant code example tries to list a directory specified by the user. It safely uses the three-argument ",[46,107,74],{}," command, as required by ",[90,110,112],{"href":111},"\u002Fsei-cert-perl-coding-standard\u002Frules\u002Finput-validation-and-data-sanitization-ids\u002Fids31-pl","IDS31-PL. Do not use the two-argument form of open()"," .",[115,116,118],"code-block",{"quality":117},"bad",[119,120,125],"pre",{"className":121,"code":122,"language":123,"meta":124,"style":124},"language-perl shiki shiki-themes github-light github-dark monokai","my $dir = $ARGV[0];\nopen( my $listing, \"-|\", \"ls -F $dir\") or croak \"error executing command: stopped\";\nwhile (\u003C$listing>) {\n  print \"Result: $_\";\n}\nclose( $listing);\n","perl","",[46,126,127,140,186,195,211,217],{"__ignoreMap":124},[128,129,132,136],"span",{"class":130,"line":131},"line",1,[128,133,135],{"class":134},"sC2Qs","my",[128,137,139],{"class":138},"sMOD_"," $dir = $ARGV[0];\n",[128,141,143,147,150,152,155,159,162,165,168,171,174,177,180,183],{"class":130,"line":142},2,[128,144,146],{"class":145},"sTrkL","open",[128,148,149],{"class":138},"( ",[128,151,135],{"class":134},[128,153,154],{"class":138}," $listing, ",[128,156,158],{"class":157},"sstjo","\"-|\"",[128,160,161],{"class":138},", ",[128,163,164],{"class":157},"\"ls -F ",[128,166,167],{"class":138},"$dir",[128,169,170],{"class":157},"\"",[128,172,173],{"class":138},") ",[128,175,176],{"class":134},"or",[128,178,179],{"class":138}," croak ",[128,181,182],{"class":157},"\"error executing command: stopped\"",[128,184,185],{"class":138},";\n",[128,187,189,192],{"class":130,"line":188},3,[128,190,191],{"class":134},"while",[128,193,194],{"class":138}," (\u003C$listing>) {\n",[128,196,198,201,204,207,209],{"class":130,"line":197},4,[128,199,200],{"class":145},"  print",[128,202,203],{"class":157}," \"Result: ",[128,205,206],{"class":138},"$_",[128,208,170],{"class":157},[128,210,185],{"class":138},[128,212,214],{"class":130,"line":213},5,[128,215,216],{"class":138},"}\n",[128,218,220,223],{"class":130,"line":219},6,[128,221,222],{"class":145},"close",[128,224,225],{"class":138},"( $listing);\n",[39,227,228],{},"The program also works properly when given a valid directory as an argument:",[119,230,234],{"className":231,"code":232,"language":233,"meta":124,"style":124},"language-java shiki shiki-themes github-light github-dark monokai","% .\u002Fsample.pl ~\nResult: bin\u002F\nResult: Desktop\u002F\nResult: src\u002F\nResult: workspace\u002F\n%\n","java",[46,235,236,251,265,276,287,298],{"__ignoreMap":124},[128,237,238,241,243,245,248],{"class":130,"line":131},[128,239,240],{"class":134},"%",[128,242,113],{"class":138},[128,244,6],{"class":134},[128,246,247],{"class":138},"sample.pl ",[128,249,250],{"class":134},"~\n",[128,252,253,256,259,262],{"class":130,"line":142},[128,254,255],{"class":138},"Result",[128,257,258],{"class":134},":",[128,260,261],{"class":138}," bin",[128,263,264],{"class":134},"\u002F\n",[128,266,267,269,271,274],{"class":130,"line":188},[128,268,255],{"class":138},[128,270,258],{"class":134},[128,272,273],{"class":138}," Desktop",[128,275,264],{"class":134},[128,277,278,280,282,285],{"class":130,"line":197},[128,279,255],{"class":138},[128,281,258],{"class":134},[128,283,284],{"class":138}," src",[128,286,264],{"class":134},[128,288,289,291,293,296],{"class":130,"line":213},[128,290,255],{"class":138},[128,292,258],{"class":134},[128,294,295],{"class":138}," workspace",[128,297,264],{"class":134},[128,299,300],{"class":130,"line":219},[128,301,302],{"class":134},"%\n",[39,304,305,306,308],{},"But it can also have unintended consequences, as in this case, if an attacker injects an arbitrary command to be executed by the call to ",[46,307,74],{}," :",[119,310,312],{"className":231,"code":311,"language":233,"meta":124,"style":124},"% .\u002Fexample.pl \"dummy ; echo bad\"\nls: cannot access dummy: No such file or directory\nResult: bad\n% .\u002Fexample.pl \n",[46,313,314,328,347,356],{"__ignoreMap":124},[128,315,316,318,320,322,325],{"class":130,"line":131},[128,317,240],{"class":134},[128,319,113],{"class":138},[128,321,6],{"class":134},[128,323,324],{"class":138},"example.pl ",[128,326,327],{"class":157},"\"dummy ; echo bad\"\n",[128,329,330,333,335,338,340,344],{"class":130,"line":142},[128,331,332],{"class":138},"ls",[128,334,258],{"class":134},[128,336,337],{"class":138}," cannot access dummy",[128,339,258],{"class":134},[128,341,343],{"class":342},"sk8M1"," No",[128,345,346],{"class":138}," such file or directory\n",[128,348,349,351,353],{"class":130,"line":188},[128,350,255],{"class":138},[128,352,258],{"class":134},[128,354,355],{"class":138}," bad\n",[128,357,358,360,362,364],{"class":130,"line":197},[128,359,240],{"class":134},[128,361,113],{"class":138},[128,363,6],{"class":134},[128,365,366],{"class":138},"example.pl\n",[96,368,370],{"id":369},"compliant-solution-sanitization","Compliant Solution (Sanitization)",[39,372,373,374,376],{},"This compliant solution sanitizes the untrusted user input by permitting only a small group of whitelisted characters in the argument that will be passed to ",[46,375,74],{}," ; all other characters are excluded.",[115,378,380],{"quality":379},"good",[119,381,383],{"className":121,"code":382,"language":123,"meta":124,"style":124},"my $file;\nmy $dir = $ARGV[0];\ncroak \"Argument contains unsanitary characters, stopped\" if ($dir =~ m|[^-A-Za-z0-9_\u002F.~]|);\nopen( my $listing, \"-|\", \"ls -F $dir\") or croak \"error executing command: stopped\";\nwhile (\u003C$listing>) {\n  print \"Result: $_\";\n}\nclose( $listing);\n",[46,384,385,392,398,427,457,463,475,480],{"__ignoreMap":124},[128,386,387,389],{"class":130,"line":131},[128,388,135],{"class":134},[128,390,391],{"class":138}," $file;\n",[128,393,394,396],{"class":130,"line":142},[128,395,135],{"class":134},[128,397,139],{"class":138},[128,399,400,403,406,409,412,415,418,422,424],{"class":130,"line":188},[128,401,402],{"class":138},"croak ",[128,404,405],{"class":157},"\"Argument contains unsanitary characters, stopped\"",[128,407,408],{"class":134}," if",[128,410,411],{"class":138}," ($dir =~ ",[128,413,414],{"class":145},"m",[128,416,417],{"class":157},"|",[128,419,421],{"class":420},"s7F3e","[^-A-Za-z0-9_\u002F.~]",[128,423,417],{"class":157},[128,425,426],{"class":138},");\n",[128,428,429,431,433,435,437,439,441,443,445,447,449,451,453,455],{"class":130,"line":197},[128,430,146],{"class":145},[128,432,149],{"class":138},[128,434,135],{"class":134},[128,436,154],{"class":138},[128,438,158],{"class":157},[128,440,161],{"class":138},[128,442,164],{"class":157},[128,444,167],{"class":138},[128,446,170],{"class":157},[128,448,173],{"class":138},[128,450,176],{"class":134},[128,452,179],{"class":138},[128,454,182],{"class":157},[128,456,185],{"class":138},[128,458,459,461],{"class":130,"line":213},[128,460,191],{"class":134},[128,462,194],{"class":138},[128,464,465,467,469,471,473],{"class":130,"line":219},[128,466,200],{"class":145},[128,468,203],{"class":157},[128,470,206],{"class":138},[128,472,170],{"class":157},[128,474,185],{"class":138},[128,476,478],{"class":130,"line":477},7,[128,479,216],{"class":138},[128,481,483,485],{"class":130,"line":482},8,[128,484,222],{"class":145},[128,486,225],{"class":138},[39,488,489],{},"This code properly rejects shell commands:",[119,491,493],{"className":231,"code":492,"language":233,"meta":124,"style":124},"% .\u002Fexample.pl \"dummy ; echo bad\"\nArgument contains unsanitary characters, stopped at .\u002Fexample.pl line 8\n% \n",[46,494,495,507,523],{"__ignoreMap":124},[128,496,497,499,501,503,505],{"class":130,"line":131},[128,498,240],{"class":134},[128,500,113],{"class":138},[128,502,6],{"class":134},[128,504,324],{"class":138},[128,506,327],{"class":157},[128,508,509,512,515,517,520],{"class":130,"line":142},[128,510,511],{"class":342},"Argument",[128,513,514],{"class":138}," contains unsanitary characters, stopped at .",[128,516,6],{"class":134},[128,518,519],{"class":138},"example.pl line ",[128,521,522],{"class":420},"8\n",[128,524,525],{"class":130,"line":188},[128,526,302],{"class":134},[39,528,529],{},"However, this code also rejects valid directories if they contain characters not in the whitelist regex.",[96,531,533],{"id":532},"compliant-solution-shell-avoidance","Compliant Solution (Shell Avoidance)",[39,535,536,537,113],{},"This compliant solution again sanitizes the untrusted user input. However, it uses the multi-arg form of ",[46,538,74],{},[115,540,541],{"quality":379},[119,542,544],{"className":121,"code":543,"language":123,"meta":124,"style":124},"my $file;\nmy $dir = $ARGV[0];\ncroak \"Argument contains unsanitary characters, stopped\" if ($dir =~ m|[^-A-Za-z0-9_\u002F.~]|);\nopen( my $listing, \"-|\", \"ls\", \"-F\", $dir) or croak \"error executing command: stopped\";\nwhile (\u003C$listing>) {\n  print \"Result: $_\";\n}\nclose( $listing);\n",[46,545,546,552,558,578,611,617,629,633],{"__ignoreMap":124},[128,547,548,550],{"class":130,"line":131},[128,549,135],{"class":134},[128,551,391],{"class":138},[128,553,554,556],{"class":130,"line":142},[128,555,135],{"class":134},[128,557,139],{"class":138},[128,559,560,562,564,566,568,570,572,574,576],{"class":130,"line":188},[128,561,402],{"class":138},[128,563,405],{"class":157},[128,565,408],{"class":134},[128,567,411],{"class":138},[128,569,414],{"class":145},[128,571,417],{"class":157},[128,573,421],{"class":420},[128,575,417],{"class":157},[128,577,426],{"class":138},[128,579,580,582,584,586,588,590,592,595,597,600,603,605,607,609],{"class":130,"line":197},[128,581,146],{"class":145},[128,583,149],{"class":138},[128,585,135],{"class":134},[128,587,154],{"class":138},[128,589,158],{"class":157},[128,591,161],{"class":138},[128,593,594],{"class":157},"\"ls\"",[128,596,161],{"class":138},[128,598,599],{"class":157},"\"-F\"",[128,601,602],{"class":138},", $dir) ",[128,604,176],{"class":134},[128,606,179],{"class":138},[128,608,182],{"class":157},[128,610,185],{"class":138},[128,612,613,615],{"class":130,"line":213},[128,614,191],{"class":134},[128,616,194],{"class":138},[128,618,619,621,623,625,627],{"class":130,"line":219},[128,620,200],{"class":145},[128,622,203],{"class":157},[128,624,206],{"class":138},[128,626,170],{"class":157},[128,628,185],{"class":138},[128,630,631],{"class":130,"line":477},[128,632,216],{"class":138},[128,634,635,637],{"class":130,"line":482},[128,636,222],{"class":145},[128,638,225],{"class":138},[39,640,44,641,647,648,308],{},[90,642,646],{"href":643,"rel":644},"http:\u002F\u002Fperldoc.perl.org\u002Fperlfunc.html",[645],"nofollow","perlfunc"," manpages states, regarding all but the first two arguments to ",[46,649,74],{},[651,652,653],"blockquote",{},[39,654,655],{},"If there is only one scalar argument, the argument is checked for shell metacharacters, and if there are any, the entire argument is passed to the system's command shell for parsing (this is \"\u002Fbin\u002Fsh -c\" on Unix platforms, but varies on other platforms). If there are no shell metacharacters in the argument, it is split into words and passed directly to \"execvp,\" which is more efficient.",[39,657,658,659,661],{},"So this form of ",[46,660,74],{}," is preferable if your platform's shell might be set up incorrectly or maliciously.",[96,663,665],{"id":664},"compliant-solution-restricted-choice","Compliant Solution (Restricted Choice)",[39,667,668,669,671,672,113],{},"This compliant solution prevents command injection by passing only trusted strings to ",[46,670,74],{}," . The user has control over which string is used but cannot provide string data directly to ",[46,673,74],{},[115,675,676],{"quality":379},[119,677,679],{"className":121,"code":678,"language":123,"meta":124,"style":124},"my %choices = (BIN => \"~\u002Fbin\",\n               LIB => \"~\u002Flib\",\n               SRC => \"~\u002Fsrc\");\nmy $choice = $choices{$ARGV[0]};\ncroak \"Invalid argument, stopped\" if (!defined $choice);\nopen( my $listing, \"-|\", \"ls -F $choice\") or croak \"error executing command: stopped\";\nwhile (\u003C$listing>) {\n  print \"Result: $_\";\n}\nclose( $listing);\n",[46,680,681,700,712,724,731,749,780,786,798,803],{"__ignoreMap":124},[128,682,683,685,688,691,694,697],{"class":130,"line":131},[128,684,135],{"class":134},[128,686,687],{"class":138}," %choices = (",[128,689,690],{"class":420},"BIN",[128,692,693],{"class":134}," =>",[128,695,696],{"class":157}," \"~\u002Fbin\"",[128,698,699],{"class":138},",\n",[128,701,702,705,707,710],{"class":130,"line":142},[128,703,704],{"class":420},"               LIB",[128,706,693],{"class":134},[128,708,709],{"class":157}," \"~\u002Flib\"",[128,711,699],{"class":138},[128,713,714,717,719,722],{"class":130,"line":188},[128,715,716],{"class":420},"               SRC",[128,718,693],{"class":134},[128,720,721],{"class":157}," \"~\u002Fsrc\"",[128,723,426],{"class":138},[128,725,726,728],{"class":130,"line":197},[128,727,135],{"class":134},[128,729,730],{"class":138}," $choice = $choices{$ARGV[0]};\n",[128,732,733,735,738,740,743,746],{"class":130,"line":213},[128,734,402],{"class":138},[128,736,737],{"class":157},"\"Invalid argument, stopped\"",[128,739,408],{"class":134},[128,741,742],{"class":138}," (!",[128,744,745],{"class":145},"defined",[128,747,748],{"class":138}," $choice);\n",[128,750,751,753,755,757,759,761,763,765,768,770,772,774,776,778],{"class":130,"line":219},[128,752,146],{"class":145},[128,754,149],{"class":138},[128,756,135],{"class":134},[128,758,154],{"class":138},[128,760,158],{"class":157},[128,762,161],{"class":138},[128,764,164],{"class":157},[128,766,767],{"class":138},"$choice",[128,769,170],{"class":157},[128,771,173],{"class":138},[128,773,176],{"class":134},[128,775,179],{"class":138},[128,777,182],{"class":157},[128,779,185],{"class":138},[128,781,782,784],{"class":130,"line":477},[128,783,191],{"class":134},[128,785,194],{"class":138},[128,787,788,790,792,794,796],{"class":130,"line":482},[128,789,200],{"class":145},[128,791,203],{"class":157},[128,793,206],{"class":138},[128,795,170],{"class":157},[128,797,185],{"class":138},[128,799,801],{"class":130,"line":800},9,[128,802,216],{"class":138},[128,804,806,808],{"class":130,"line":805},10,[128,807,222],{"class":145},[128,809,225],{"class":138},[39,811,812],{},"This compliant solution hard codes the directories that may be listed.",[39,814,815],{},"This solution can quickly become unmanageable if you have many available directories. A more scalable solution is to read all the permitted directories from an external file into a hash object, and the external file must be kept secure from untrusted users.",[96,817,819],{"id":818},"compliant-solution-avoid-interpreters","Compliant Solution (Avoid Interpreters)",[39,821,822,823,826,827,830,831,834],{},"When the task performed by executing a system command can be accomplished by some other means, it is almost always advisable to do so. This compliant solution uses the ",[46,824,825],{},"opendir()"," , ",[46,828,829],{},"readdir()"," , and ",[46,832,833],{},"closedir()"," subroutines to provide a directory listing, eliminating the possibility of command or argument injection attacks.",[115,836,837],{"quality":379},[119,838,840],{"className":121,"code":839,"language":123,"meta":124,"style":124},"my $dir = $ARGV[0];\nopendir( my $listing, $dir) or croak \"error executing command: stopped\";\nwhile (readdir($listing)) {\n  print \"Result: $_\\n\";\n}\nclosedir($listing);\n",[46,841,842,848,868,881,896,900],{"__ignoreMap":124},[128,843,844,846],{"class":130,"line":131},[128,845,135],{"class":134},[128,847,139],{"class":138},[128,849,850,853,855,857,860,862,864,866],{"class":130,"line":142},[128,851,852],{"class":145},"opendir",[128,854,149],{"class":138},[128,856,135],{"class":134},[128,858,859],{"class":138}," $listing, $dir) ",[128,861,176],{"class":134},[128,863,179],{"class":138},[128,865,182],{"class":157},[128,867,185],{"class":138},[128,869,870,872,875,878],{"class":130,"line":188},[128,871,191],{"class":134},[128,873,874],{"class":138}," (",[128,876,877],{"class":145},"readdir",[128,879,880],{"class":138},"($listing)) {\n",[128,882,883,885,887,889,892,894],{"class":130,"line":197},[128,884,200],{"class":145},[128,886,203],{"class":157},[128,888,206],{"class":138},[128,890,891],{"class":420},"\\n",[128,893,170],{"class":157},[128,895,185],{"class":138},[128,897,898],{"class":130,"line":213},[128,899,216],{"class":138},[128,901,902,905],{"class":130,"line":219},[128,903,904],{"class":145},"closedir",[128,906,907],{"class":138},"($listing);\n",[96,909,99,911,102],{"id":910},"noncompliant-code-example-vu583020",[46,912,913],{},"VU#583020",[39,915,916,921,922,924],{},[90,917,920],{"href":918,"rel":919},"http:\u002F\u002Fwww.kb.cert.org\u002Fvuls\u002Fid\u002F583020",[645],"US-CERT Vulnerability #583020"," describes Perl code that invoked the ",[46,923,56],{}," built-ig function without sanitizing its argument:",[115,926,927],{"quality":117},[119,928,930],{"className":121,"code":929,"language":123,"meta":124,"style":124},"sub do {\n        shift;\n        $do_call = \"xmms -\" . shift;\n        system $do_call;\n        return $do_call;\n  }\n",[46,931,932,945,952,968,976,983],{"__ignoreMap":124},[128,933,934,938,942],{"class":130,"line":131},[128,935,937],{"class":936},"sq6CD","sub",[128,939,941],{"class":940},"srTi1"," do",[128,943,944],{"class":138}," {\n",[128,946,947,950],{"class":130,"line":142},[128,948,949],{"class":145},"        shift",[128,951,185],{"class":138},[128,953,954,957,960,963,966],{"class":130,"line":188},[128,955,956],{"class":138},"        $do_call = ",[128,958,959],{"class":157},"\"xmms -\"",[128,961,962],{"class":138}," . ",[128,964,965],{"class":145},"shift",[128,967,185],{"class":138},[128,969,970,973],{"class":130,"line":197},[128,971,972],{"class":145},"        system",[128,974,975],{"class":138}," $do_call;\n",[128,977,978,981],{"class":130,"line":213},[128,979,980],{"class":134},"        return",[128,982,975],{"class":138},[128,984,985],{"class":130,"line":219},[128,986,987],{"class":138},"  }\n",[39,989,990,991,994,995,113],{},"An attacker who could control the arguments to the ",[46,992,993],{},"do()"," subroutine could cause the code to invoke arbitrary shell commands. This code also violates ",[90,996,998],{"href":997},"\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fdeclarations-and-initialization-dcl\u002Fdcl31-pl","DCL31-PL. Do not overload reserved keywords or subroutines",[96,1000,1002,1003,102],{"id":1001},"compliant-solution-vu583020","Compliant Solution ( ",[46,1004,913],{},[39,1006,1007,1008,1011,1012,113],{},"This code was mitigated by adding a regex to make sure that only a single character supplied by the user could be added to the ",[46,1009,1010],{},"$do_call"," variable before passing it to ",[46,1013,56],{},[115,1015,1016],{"quality":379},[119,1017,1019],{"className":121,"code":1018,"language":123,"meta":124,"style":124},"sub do {\n    shift;\n    $command = shift;\n    $command =~ \u002F([\\w])\u002F;\n    $command = $1;\n    $do_call = \"xmms -\" . $command;\n    system $do_call;\n    return $do_call;\n  }\n",[46,1020,1021,1029,1036,1045,1067,1072,1082,1089,1096],{"__ignoreMap":124},[128,1022,1023,1025,1027],{"class":130,"line":131},[128,1024,937],{"class":936},[128,1026,941],{"class":940},[128,1028,944],{"class":138},[128,1030,1031,1034],{"class":130,"line":142},[128,1032,1033],{"class":145},"    shift",[128,1035,185],{"class":138},[128,1037,1038,1041,1043],{"class":130,"line":188},[128,1039,1040],{"class":138},"    $command = ",[128,1042,965],{"class":145},[128,1044,185],{"class":138},[128,1046,1047,1050,1052,1056,1060,1063,1065],{"class":130,"line":197},[128,1048,1049],{"class":138},"    $command =~ ",[128,1051,6],{"class":157},[128,1053,1055],{"class":1054},"sFxd3","([",[128,1057,1059],{"class":1058},"sHuvb","\\w",[128,1061,1062],{"class":1054},"])",[128,1064,6],{"class":157},[128,1066,185],{"class":138},[128,1068,1069],{"class":130,"line":213},[128,1070,1071],{"class":138},"    $command = $1;\n",[128,1073,1074,1077,1079],{"class":130,"line":219},[128,1075,1076],{"class":138},"    $do_call = ",[128,1078,959],{"class":157},[128,1080,1081],{"class":138}," . $command;\n",[128,1083,1084,1087],{"class":130,"line":477},[128,1085,1086],{"class":145},"    system",[128,1088,975],{"class":138},[128,1090,1091,1094],{"class":130,"line":482},[128,1092,1093],{"class":134},"    return",[128,1095,975],{"class":138},[128,1097,1098],{"class":130,"line":800},[128,1099,987],{"class":138},[39,1101,1102,1103,1105],{},"This code still violates ",[90,1104,998],{"href":997}," ; it is shown here for historical accuracy.",[96,1107,1109],{"id":1108},"risk-assessment","Risk Assessment",[39,1111,1112],{},"Using deprecated or obsolete classes or methods in program code can lead to erroneous behavior.",[1114,1115,1116,1117,1116,1147],"table",{},"\n  ",[1118,1119,1120,1121,1116],"thead",{},"\n    ",[1122,1123,1124,1125,1124,1129,1124,1132,1124,1135,1124,1138,1124,1141,1124,1144,1120],"tr",{},"\n      ",[1126,1127,1128],"th",{},"Rule",[1126,1130,1131],{},"Severity",[1126,1133,1134],{},"Likelihood",[1126,1136,1137],{},"Detectable",[1126,1139,1140],{},"Repairable",[1126,1142,1143],{},"Priority",[1126,1145,1146],{},"Level",[1148,1149,1120,1150,1116],"tbody",{},[1122,1151,1124,1152,1124,1156,1124,1159,1124,1162,1124,1165,1124,1167,1124,1174,1120],{},[1153,1154,1155],"td",{},"IDS34-PL",[1153,1157,1158],{},"High",[1153,1160,1161],{},"Probable",[1153,1163,1164],{},"No",[1153,1166,1164],{},[1153,1168,1170],{"style":1169},"color: #f1c40f;",[1171,1172,1173],"b",{},"P6",[1153,1175,1176],{"style":1169},[1171,1177,1178],{},"L2",[96,1180,1182],{"id":1181},"automated-detection","Automated Detection",[1114,1184,1187,1196],{"className":1185},[1186],"wrapped",[1188,1189,1190,1194],"colgroup",{},[1191,1192],"col",{"style":1193},"width: 50%",[1191,1195],{"style":1193},[1148,1197,1198,1212,1222],{},[1122,1199,1202,1207],{"className":1200},[1201],"header",[1126,1203,1204],{},[39,1205,1206],{},"Tool",[1126,1208,1209],{},[39,1210,1211],{},"Diagnostic",[1122,1213,1216,1219],{"className":1214},[1215],"odd",[1153,1217,1218],{},"Taint mode",[1153,1220,1221],{},"Insecure dependency in (system|piped open)",[1122,1223,1226,1232],{"className":1224},[1225],"even",[1153,1227,1228],{},[90,1229,1231],{"href":1230},"\u002Fsei-cert-perl-coding-standard\u002Fback-matter\u002Fbb-analyzers\u002Fsecurity-reviewer-static-reviewer","Security Reviewer - Static Reviewer",[1153,1233,1234,1235,1238],{},"PERL_S09",[1236,1237],"br",{},"\nPERL_S25",[96,1240,1242],{"id":1241},"related-guidelines","Related Guidelines",[1114,1244,1245,1253],{},[1118,1246,1247],{},[1122,1248,1249,1251],{},[1126,1250],{},[1126,1252],{},[1148,1254,1255,1268,1281],{},[1122,1256,1257,1262],{},[1153,1258,1259],{},[90,1260,1261],{"href":17},"SEI CERT C Coding Standard",[1153,1263,1264],{},[90,1265,1267],{"href":1266},"\u002Fsei-cert-c-coding-standard\u002Frules\u002Fenvironment-env\u002Fenv33-c","ENV33-C. Do not call system()",[1122,1269,1270,1275],{},[1153,1271,1272],{},[90,1273,1274],{"href":20},"SEI CERT C++ Coding Standard",[1153,1276,1277],{},[90,1278,1280],{"href":1279},"\u002Fsei-cert-cpp-coding-standard\u002Fthe-void\u002Fvoid-3-recommendations\u002Fvoid-rec-12-environment-env\u002Fvoid-env02-cpp-do-not-call-system-if-you-do-not-need-a-command-processor","VOID ENV02-CPP. Do not call system() if you do not need a command processor",[1122,1282,1283,1288],{},[1153,1284,1285],{},[90,1286,1287],{"href":23},"CERT Oracle Secure Coding Standard for Java",[1153,1289,1290],{},[90,1291,1293],{"href":1292},"\u002Fsei-cert-oracle-coding-standard-for-java\u002Frules\u002Finput-validation-and-data-sanitization-ids\u002Fids07-j","IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method",[96,1295,1297],{"id":1296},"bibliography","Bibliography",[1114,1299,1300,1308],{},[1118,1301,1302],{},[1122,1303,1304,1306],{},[1126,1305],{},[1126,1307],{},[1148,1309,1310,1325],{},[1122,1311,1312,1319],{},[1153,1313,1314,1315,1318],{},"[ ",[90,1316,913],{"href":918,"rel":1317},[645]," ]",[1153,1320,1321],{},[90,1322,1324],{"href":918,"rel":1323},[645],"XMMS Remote input validation error",[1122,1326,1327,1333],{},[1153,1328,1314,1329,1318],{},[90,1330,1332],{"href":1331},"\u002Fsei-cert-perl-coding-standard\u002Fback-matter\u002Faa-bibliography#AA.Bibliography-Manpages","Wall 2011",[1153,1334,1335],{},[90,1336,646],{"href":643,"rel":1337},[645],[1339,1340],"hr",{},[39,1342,1343,1349,1350,1349,1356],{},[90,1344,1345],{"href":92},[1346,1347],"img",{"src":1348},"\u002Fattachments\u002F88890562\u002F88892207.png"," ",[90,1351,1353],{"href":1352},"\u002Fsei-cert-perl-coding-standard\u002Frules\u002Finput-validation-and-data-sanitization-ids\u002F",[1346,1354],{"src":1355},"\u002Fattachments\u002F88890562\u002F88892209.png",[90,1357,1359],{"href":1358},"\u002Fsei-cert-perl-coding-standard\u002Frules\u002Finput-validation-and-data-sanitization-ids\u002Fids35-pl",[1346,1360],{"src":1361},"\u002Fattachments\u002F88890562\u002F88892208.png",[1363,1364,1365],"style",{},"html pre.shiki code .sC2Qs, html code.shiki .sC2Qs{--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sMOD_, html code.shiki .sMOD_{--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sTrkL, html code.shiki .sTrkL{--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .sstjo, html code.shiki .sstjo{--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sk8M1, html code.shiki .sk8M1{--shiki-default:#24292E;--shiki-default-font-style:inherit;--shiki-dark:#E1E4E8;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .s7F3e, html code.shiki .s7F3e{--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sq6CD, html code.shiki .sq6CD{--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .srTi1, html code.shiki .srTi1{--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sFxd3, html code.shiki .sFxd3{--shiki-default:#032F62;--shiki-dark:#DBEDFF;--shiki-sepia:#E6DB74}html pre.shiki code .sHuvb, html code.shiki .sHuvb{--shiki-default:#22863A;--shiki-default-font-weight:bold;--shiki-dark:#85E89D;--shiki-dark-font-weight:bold;--shiki-sepia:#AE81FF;--shiki-sepia-font-weight:inherit}",{"title":124,"searchDepth":142,"depth":142,"links":1367},[1368,1370,1371,1372,1373,1374,1376,1378,1379,1380,1381],{"id":98,"depth":142,"text":1369},"Noncompliant Code Example ( open() )",{"id":369,"depth":142,"text":370},{"id":532,"depth":142,"text":533},{"id":664,"depth":142,"text":665},{"id":818,"depth":142,"text":819},{"id":910,"depth":142,"text":1375},"Noncompliant Code Example ( VU#583020 )",{"id":1001,"depth":142,"text":1377},"Compliant Solution ( VU#583020 )",{"id":1108,"depth":142,"text":1109},{"id":1181,"depth":142,"text":1182},{"id":1241,"depth":142,"text":1242},{"id":1296,"depth":142,"text":1297},"md",{"tags":1384},[1385,1386],"ids","rule","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Finput-validation-and-data-sanitization-ids\u002Fids34-pl",{"title":30,"description":41},"7.sei-cert-perl-coding-standard\u002F3.rules\u002F5.input-validation-and-data-sanitization-ids\u002F6.ids34-pl","MzDLb0tCWY6k_Ea6GJsNzgD1jsq8-_QHy5JL9yP_CdU",[1392,1394],{"title":93,"path":92,"stem":1393,"children":-1},"7.sei-cert-perl-coding-standard\u002F3.rules\u002F5.input-validation-and-data-sanitization-ids\u002F5.ids33-pl",{"title":1395,"path":1358,"stem":1396,"children":-1},"IDS35-PL. Do not invoke the eval form with a string argument","7.sei-cert-perl-coding-standard\u002F3.rules\u002F5.input-validation-and-data-sanitization-ids\u002F7.ids35-pl",[1398],{"title":1399,"path":1400,"stem":1401,"children":1402},"SEI CERT Perl Coding Standard","\u002Fsei-cert-perl-coding-standard","7.sei-cert-perl-coding-standard\u002F1.index",[1403,1404,1459,1578,1726],{"title":1399,"path":1400,"stem":1401},{"title":1405,"path":1406,"stem":1407,"children":1408},"Front Matter","\u002Fsei-cert-perl-coding-standard\u002Ffront-matter","7.sei-cert-perl-coding-standard\u002F2.front-matter\u002F1.index",[1409,1410,1414],{"title":1405,"path":1406,"stem":1407},{"title":1411,"path":1412,"stem":1413},"Deprecations","\u002Fsei-cert-perl-coding-standard\u002Ffront-matter\u002Fdeprecations","7.sei-cert-perl-coding-standard\u002F2.front-matter\u002F2.deprecations",{"title":1415,"path":1416,"stem":1417,"children":1418},"Introduction","\u002Fsei-cert-perl-coding-standard\u002Ffront-matter\u002Fintroduction","7.sei-cert-perl-coding-standard\u002F2.front-matter\u002F3.introduction\u002F01.index",[1419,1420,1424,1428,1432,1436,1440,1444,1447,1451,1455],{"title":1415,"path":1416,"stem":1417},{"title":1421,"path":1422,"stem":1423},"Scope","\u002Fsei-cert-perl-coding-standard\u002Ffront-matter\u002Fintroduction\u002Fscope","7.sei-cert-perl-coding-standard\u002F2.front-matter\u002F3.introduction\u002F01.scope",{"title":1425,"path":1426,"stem":1427},"Tool Selection and Validation","\u002Fsei-cert-perl-coding-standard\u002Ffront-matter\u002Fintroduction\u002Ftool-selection-and-validation","7.sei-cert-perl-coding-standard\u002F2.front-matter\u002F3.introduction\u002F02.tool-selection-and-validation",{"title":1429,"path":1430,"stem":1431},"Rules versus Recommendations","\u002Fsei-cert-perl-coding-standard\u002Ffront-matter\u002Fintroduction\u002Frules-versus-recommendations","7.sei-cert-perl-coding-standard\u002F2.front-matter\u002F3.introduction\u002F03.rules-versus-recommendations",{"title":1433,"path":1434,"stem":1435},"Development Process","\u002Fsei-cert-perl-coding-standard\u002Ffront-matter\u002Fintroduction\u002Fdevelopment-process","7.sei-cert-perl-coding-standard\u002F2.front-matter\u002F3.introduction\u002F04.development-process",{"title":1437,"path":1438,"stem":1439},"Usage","\u002Fsei-cert-perl-coding-standard\u002Ffront-matter\u002Fintroduction\u002Fusage","7.sei-cert-perl-coding-standard\u002F2.front-matter\u002F3.introduction\u002F05.usage",{"title":1441,"path":1442,"stem":1443},"System Qualities","\u002Fsei-cert-perl-coding-standard\u002Ffront-matter\u002Fintroduction\u002Fsystem-qualities","7.sei-cert-perl-coding-standard\u002F2.front-matter\u002F3.introduction\u002F06.system-qualities",{"title":1109,"path":1445,"stem":1446},"\u002Fsei-cert-perl-coding-standard\u002Ffront-matter\u002Fintroduction\u002Frisk-assessment","7.sei-cert-perl-coding-standard\u002F2.front-matter\u002F3.introduction\u002F07.risk-assessment",{"title":1448,"path":1449,"stem":1450},"Source Code Validation","\u002Fsei-cert-perl-coding-standard\u002Ffront-matter\u002Fintroduction\u002Fsource-code-validation","7.sei-cert-perl-coding-standard\u002F2.front-matter\u002F3.introduction\u002F08.source-code-validation",{"title":1452,"path":1453,"stem":1454},"Automatically Generated Code","\u002Fsei-cert-perl-coding-standard\u002Ffront-matter\u002Fintroduction\u002Fautomatically-generated-code","7.sei-cert-perl-coding-standard\u002F2.front-matter\u002F3.introduction\u002F09.automatically-generated-code",{"title":1456,"path":1457,"stem":1458},"Acknowledgements","\u002Fsei-cert-perl-coding-standard\u002Ffront-matter\u002Fintroduction\u002Facknowledgements","7.sei-cert-perl-coding-standard\u002F2.front-matter\u002F3.introduction\u002F11.acknowledgements",{"title":1460,"path":1461,"stem":1462,"children":1463},"Rules","\u002Fsei-cert-perl-coding-standard\u002Frules","7.sei-cert-perl-coding-standard\u002F3.rules\u002F1.index",[1464,1465,1481,1507,1517,1536,1540,1554,1564],{"title":1460,"path":1461,"stem":1462},{"title":1466,"path":1467,"stem":1468,"children":1469},"Declarations and Initialization (DCL)","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fdeclarations-and-initialization-dcl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F2.declarations-and-initialization-dcl\u002F1.index",[1470,1471,1475,1477],{"title":1466,"path":1467,"stem":1468},{"title":1472,"path":1473,"stem":1474},"DCL30-PL. Do not import deprecated modules","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fdeclarations-and-initialization-dcl\u002Fdcl30-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F2.declarations-and-initialization-dcl\u002F2.dcl30-pl",{"title":998,"path":997,"stem":1476},"7.sei-cert-perl-coding-standard\u002F3.rules\u002F2.declarations-and-initialization-dcl\u002F3.dcl31-pl",{"title":1478,"path":1479,"stem":1480},"DCL33-PL. Declare identifiers before using them","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fdeclarations-and-initialization-dcl\u002Fdcl33-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F2.declarations-and-initialization-dcl\u002F4.dcl33-pl",{"title":1482,"path":1483,"stem":1484,"children":1485},"Expressions (EXP)","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fexpressions-exp","7.sei-cert-perl-coding-standard\u002F3.rules\u002F3.expressions-exp\u002F1.index",[1486,1487,1491,1495,1499,1503],{"title":1482,"path":1483,"stem":1484},{"title":1488,"path":1489,"stem":1490},"EXP30-PL. Do not use deprecated or obsolete functions or modules","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fexpressions-exp\u002Fexp30-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F3.expressions-exp\u002F2.exp30-pl",{"title":1492,"path":1493,"stem":1494},"EXP31-PL. Do not suppress or ignore exceptions","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fexpressions-exp\u002Fexp31-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F3.expressions-exp\u002F3.exp31-pl",{"title":1496,"path":1497,"stem":1498},"EXP32-PL. Do not ignore function return values","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fexpressions-exp\u002Fexp32-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F3.expressions-exp\u002F4.exp32-pl",{"title":1500,"path":1501,"stem":1502},"EXP33-PL. Do not invoke a function in a context for which it is not defined","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fexpressions-exp\u002Fexp33-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F3.expressions-exp\u002F5.exp33-pl",{"title":1504,"path":1505,"stem":1506},"EXP35-PL. Use the correct operator type for comparing values","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fexpressions-exp\u002Fexp35-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F3.expressions-exp\u002F6.exp35-pl",{"title":1508,"path":1509,"stem":1510,"children":1511},"File Input and Output (FIO)","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Ffile-input-and-output-fio","7.sei-cert-perl-coding-standard\u002F3.rules\u002F4.file-input-and-output-fio\u002F1.index",[1512,1513],{"title":1508,"path":1509,"stem":1510},{"title":1514,"path":1515,"stem":1516},"FIO30-PL. Use compatible character encodings when performing network or file I\u002FO","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Ffile-input-and-output-fio\u002Ffio30-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F4.file-input-and-output-fio\u002F2.fio30-pl",{"title":1518,"path":1519,"stem":1520,"children":1521},"Input Validation and Data Sanitization (IDS)","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Finput-validation-and-data-sanitization-ids","7.sei-cert-perl-coding-standard\u002F3.rules\u002F5.input-validation-and-data-sanitization-ids\u002F1.index",[1522,1523,1527,1529,1533,1534,1535],{"title":1518,"path":1519,"stem":1520},{"title":1524,"path":1525,"stem":1526},"IDS30-PL. Exclude user input from format strings","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Finput-validation-and-data-sanitization-ids\u002Fids30-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F5.input-validation-and-data-sanitization-ids\u002F2.ids30-pl",{"title":112,"path":111,"stem":1528},"7.sei-cert-perl-coding-standard\u002F3.rules\u002F5.input-validation-and-data-sanitization-ids\u002F3.ids31-pl",{"title":1530,"path":1531,"stem":1532},"IDS32-PL. Validate any integer that is used as an array index","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Finput-validation-and-data-sanitization-ids\u002Fids32-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F5.input-validation-and-data-sanitization-ids\u002F4.ids32-pl",{"title":93,"path":92,"stem":1393},{"title":30,"path":1387,"stem":1389},{"title":1395,"path":1358,"stem":1396},{"title":1537,"path":1538,"stem":1539},"Integers (INT)","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fintegers-int","7.sei-cert-perl-coding-standard\u002F3.rules\u002F6.integers-int",{"title":1541,"path":1542,"stem":1543,"children":1544},"Miscellaneous (MSC)","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fmiscellaneous-msc","7.sei-cert-perl-coding-standard\u002F3.rules\u002F7.miscellaneous-msc\u002F1.index",[1545,1546,1550],{"title":1541,"path":1542,"stem":1543},{"title":1547,"path":1548,"stem":1549},"MSC31-PL. Do not embed global statements","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fmiscellaneous-msc\u002Fmsc31-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F7.miscellaneous-msc\u002F2.msc31-pl",{"title":1551,"path":1552,"stem":1553},"MSC32-PL. Do not provide a module's version value from outside the module","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fmiscellaneous-msc\u002Fmsc32-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F7.miscellaneous-msc\u002F3.msc32-pl",{"title":1555,"path":1556,"stem":1557,"children":1558},"Object-Oriented Programming (OOP)","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fobject-oriented-programming-oop","7.sei-cert-perl-coding-standard\u002F3.rules\u002F8.object-oriented-programming-oop\u002F1.index",[1559,1560],{"title":1555,"path":1556,"stem":1557},{"title":1561,"path":1562,"stem":1563},"OOP32-PL. Prohibit indirect object call syntax","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fobject-oriented-programming-oop\u002Foop32-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F8.object-oriented-programming-oop\u002F2.oop32-pl",{"title":1565,"path":1566,"stem":1567,"children":1568},"Strings (STR)","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fstrings-str","7.sei-cert-perl-coding-standard\u002F3.rules\u002F9.strings-str\u002F1.index",[1569,1570,1574],{"title":1565,"path":1566,"stem":1567},{"title":1571,"path":1572,"stem":1573},"STR30-PL. Capture variables should be read only immediately after a successful regex match","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fstrings-str\u002Fstr30-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F9.strings-str\u002F2.str30-pl",{"title":1575,"path":1576,"stem":1577},"STR31-PL. Do not pass string literals to functions expecting regexes","\u002Fsei-cert-perl-coding-standard\u002Frules\u002Fstrings-str\u002Fstr31-pl","7.sei-cert-perl-coding-standard\u002F3.rules\u002F9.strings-str\u002F3.str31-pl",{"title":1579,"path":1580,"stem":1581,"children":1582},"Recommendations","\u002Fsei-cert-perl-coding-standard\u002Frecommendations","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F1.index",[1583,1584,1613,1646,1659,1672,1685,1710,1723],{"title":1579,"path":1580,"stem":1581},{"title":1466,"path":1585,"stem":1586,"children":1587},"\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fdeclarations-and-initialization-dcl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F2.declarations-and-initialization-dcl\u002F1.index",[1588,1589,1593,1597,1601,1605,1609],{"title":1466,"path":1585,"stem":1586},{"title":1590,"path":1591,"stem":1592},"DCL00-PL. Do not use subroutine prototypes","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fdeclarations-and-initialization-dcl\u002Fdcl00-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F2.declarations-and-initialization-dcl\u002F2.dcl00-pl",{"title":1594,"path":1595,"stem":1596},"DCL01-PL. Do not reuse variable names in subscopes","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fdeclarations-and-initialization-dcl\u002Fdcl01-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F2.declarations-and-initialization-dcl\u002F3.dcl01-pl",{"title":1598,"path":1599,"stem":1600},"DCL02-PL. Any modified punctuation variable should be declared local","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fdeclarations-and-initialization-dcl\u002Fdcl02-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F2.declarations-and-initialization-dcl\u002F4.dcl02-pl",{"title":1602,"path":1603,"stem":1604},"DCL03-PL. Do not read a foreach iterator variable after the loop has completed","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fdeclarations-and-initialization-dcl\u002Fdcl03-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F2.declarations-and-initialization-dcl\u002F5.dcl03-pl",{"title":1606,"path":1607,"stem":1608},"DCL04-PL. Always initialize local variables","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fdeclarations-and-initialization-dcl\u002Fdcl04-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F2.declarations-and-initialization-dcl\u002F6.dcl04-pl",{"title":1610,"path":1611,"stem":1612},"DCL05-PL. Prohibit Perl4 package names","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fdeclarations-and-initialization-dcl\u002Fdcl05-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F2.declarations-and-initialization-dcl\u002F7.dcl05-pl",{"title":1482,"path":1614,"stem":1615,"children":1616},"\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fexpressions-exp","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F3.expressions-exp\u002F1.index",[1617,1618,1622,1626,1630,1634,1638,1642],{"title":1482,"path":1614,"stem":1615},{"title":1619,"path":1620,"stem":1621},"EXP00-PL. Do not return undef","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fexpressions-exp\u002Fexp00-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F3.expressions-exp\u002F2.exp00-pl",{"title":1623,"path":1624,"stem":1625},"EXP01-PL. Do not depend on the return value of functions that lack a return statement","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fexpressions-exp\u002Fexp01-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F3.expressions-exp\u002F3.exp01-pl",{"title":1627,"path":1628,"stem":1629},"EXP03-PL. Do not diminish the benefits of constants by assuming their values in expressions","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fexpressions-exp\u002Fexp03-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F3.expressions-exp\u002F4.exp03-pl",{"title":1631,"path":1632,"stem":1633},"EXP04-PL. Do not mix the early-precedence logical operators with late-precedence logical operators","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fexpressions-exp\u002Fexp04-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F3.expressions-exp\u002F5.exp04-pl",{"title":1635,"path":1636,"stem":1637},"EXP06-PL. Do not use an array in an implicit scalar context","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fexpressions-exp\u002Fexp06-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F3.expressions-exp\u002F6.exp06-pl",{"title":1639,"path":1640,"stem":1641},"EXP07-PL. Do not modify $_ in list or sorting functions","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fexpressions-exp\u002Fexp07-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F3.expressions-exp\u002F7.exp07-pl",{"title":1643,"path":1644,"stem":1645},"EXP08-PL. Do not use the one-argument form of select()","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fexpressions-exp\u002Fexp08-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F3.expressions-exp\u002F8.exp08-pl",{"title":1508,"path":1647,"stem":1648,"children":1649},"\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Ffile-input-and-output-fio","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F4.file-input-and-output-fio\u002F1.index",[1650,1651,1655],{"title":1508,"path":1647,"stem":1648},{"title":1652,"path":1653,"stem":1654},"FIO00-PL. Do not use bareword file handles","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Ffile-input-and-output-fio\u002Ffio00-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F4.file-input-and-output-fio\u002F2.fio00-pl",{"title":1656,"path":1657,"stem":1658},"FIO01-PL. Do not operate on files that can be modified by untrusted users","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Ffile-input-and-output-fio\u002Ffio01-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F4.file-input-and-output-fio\u002F3.fio01-pl",{"title":1518,"path":1660,"stem":1661,"children":1662},"\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Finput-validation-and-data-sanitization-ids","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F5.input-validation-and-data-sanitization-ids\u002F1.index",[1663,1664,1668],{"title":1518,"path":1660,"stem":1661},{"title":1665,"path":1666,"stem":1667},"IDS00-PL. Canonicalize path names before validating them","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Finput-validation-and-data-sanitization-ids\u002Fids00-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F5.input-validation-and-data-sanitization-ids\u002F2.ids00-pl",{"title":1669,"path":1670,"stem":1671},"IDS01-PL. Use taint mode while being aware of its limitations","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Finput-validation-and-data-sanitization-ids\u002Fids01-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F5.input-validation-and-data-sanitization-ids\u002F3.ids01-pl",{"title":1537,"path":1673,"stem":1674,"children":1675},"\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fintegers-int","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F6.integers-int\u002F1.index",[1676,1677,1681],{"title":1537,"path":1673,"stem":1674},{"title":1678,"path":1679,"stem":1680},"INT00-PL. Do not prepend leading zeroes to integer literals","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fintegers-int\u002Fint00-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F6.integers-int\u002F2.int00-pl",{"title":1682,"path":1683,"stem":1684},"INT01-PL. Use small integers when precise computation is required","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fintegers-int\u002Fint01-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F6.integers-int\u002F3.int01-pl",{"title":1541,"path":1686,"stem":1687,"children":1688},"\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fmiscellaneous-msc","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F7.miscellaneous-msc\u002F1.index",[1689,1690,1694,1698,1702,1706],{"title":1541,"path":1686,"stem":1687},{"title":1691,"path":1692,"stem":1693},"MSC00-PL. Detect and remove dead code","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fmiscellaneous-msc\u002Fmsc00-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F7.miscellaneous-msc\u002F2.msc00-pl",{"title":1695,"path":1696,"stem":1697},"MSC01-PL. Detect and remove unused variables","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fmiscellaneous-msc\u002Fmsc01-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F7.miscellaneous-msc\u002F3.msc01-pl",{"title":1699,"path":1700,"stem":1701},"MSC02-PL. Run programs with full warnings and strict checking","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fmiscellaneous-msc\u002Fmsc02-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F7.miscellaneous-msc\u002F4.msc02-pl",{"title":1703,"path":1704,"stem":1705},"MSC03-PL. Do not use select() to sleep","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fmiscellaneous-msc\u002Fmsc03-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F7.miscellaneous-msc\u002F5.msc03-pl",{"title":1707,"path":1708,"stem":1709},"MSC04-PL. Do not use comma to separate statements","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fmiscellaneous-msc\u002Fmsc04-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F7.miscellaneous-msc\u002F6.msc04-pl",{"title":1555,"path":1711,"stem":1712,"children":1713},"\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fobject-oriented-programming-oop","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F8.object-oriented-programming-oop\u002F1.index",[1714,1715,1719],{"title":1555,"path":1711,"stem":1712},{"title":1716,"path":1717,"stem":1718},"OOP00-PL. Do not signify inheritence at runtime","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fobject-oriented-programming-oop\u002Foop00-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F8.object-oriented-programming-oop\u002F2.oop00-pl",{"title":1720,"path":1721,"stem":1722},"OOP01-PL. Do not access private variables or subroutines in other packages","\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fobject-oriented-programming-oop\u002Foop01-pl","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F8.object-oriented-programming-oop\u002F3.oop01-pl",{"title":1565,"path":1724,"stem":1725},"\u002Fsei-cert-perl-coding-standard\u002Frecommendations\u002Fstrings-str","7.sei-cert-perl-coding-standard\u002F4.recommendations\u002F9.strings-str",{"title":1727,"path":1728,"stem":1729,"children":1730},"Back Matter","\u002Fsei-cert-perl-coding-standard\u002Fback-matter","7.sei-cert-perl-coding-standard\u002F5.back-matter\u002F1.index",[1731,1732,1736,1764],{"title":1727,"path":1728,"stem":1729},{"title":1733,"path":1734,"stem":1735},"AA. Bibliography","\u002Fsei-cert-perl-coding-standard\u002Fback-matter\u002Faa-bibliography","7.sei-cert-perl-coding-standard\u002F5.back-matter\u002F2.aa-bibliography",{"title":1737,"path":1738,"stem":1739,"children":1740},"BB. Analyzers","\u002Fsei-cert-perl-coding-standard\u002Fback-matter\u002Fbb-analyzers","7.sei-cert-perl-coding-standard\u002F5.back-matter\u002F3.bb-analyzers\u002F1.index",[1741,1742,1746,1750,1754,1758,1760],{"title":1737,"path":1738,"stem":1739},{"title":1743,"path":1744,"stem":1745},"Critic","\u002Fsei-cert-perl-coding-standard\u002Fback-matter\u002Fbb-analyzers\u002Fcritic","7.sei-cert-perl-coding-standard\u002F5.back-matter\u002F3.bb-analyzers\u002F2.critic",{"title":1747,"path":1748,"stem":1749},"Critic_V","\u002Fsei-cert-perl-coding-standard\u002Fback-matter\u002Fbb-analyzers\u002Fcritic_v","7.sei-cert-perl-coding-standard\u002F5.back-matter\u002F3.bb-analyzers\u002F3.critic_v",{"title":1751,"path":1752,"stem":1753},"Lint","\u002Fsei-cert-perl-coding-standard\u002Fback-matter\u002Fbb-analyzers\u002Flint","7.sei-cert-perl-coding-standard\u002F5.back-matter\u002F3.bb-analyzers\u002F4.lint",{"title":1755,"path":1756,"stem":1757},"Lint_V","\u002Fsei-cert-perl-coding-standard\u002Fback-matter\u002Fbb-analyzers\u002Flint_v","7.sei-cert-perl-coding-standard\u002F5.back-matter\u002F3.bb-analyzers\u002F5.lint_v",{"title":1231,"path":1230,"stem":1759},"7.sei-cert-perl-coding-standard\u002F5.back-matter\u002F3.bb-analyzers\u002F6.security-reviewer-static-reviewer",{"title":1761,"path":1762,"stem":1763},"Security Reviewer - Static Reviewer_V","\u002Fsei-cert-perl-coding-standard\u002Fback-matter\u002Fbb-analyzers\u002Fsecurity-reviewer-static-reviewer_v","7.sei-cert-perl-coding-standard\u002F5.back-matter\u002F3.bb-analyzers\u002F7.security-reviewer-static-reviewer_v",{"title":1765,"path":1766,"stem":1767},"CC. Risk Assessments","\u002Fsei-cert-perl-coding-standard\u002Fback-matter\u002Fcc-risk-assessments","7.sei-cert-perl-coding-standard\u002F5.back-matter\u002F4.cc-risk-assessments",1775657793712]