Page History

h2. Noncompliant Code Example

This noncompliant code example shows a subroutine that counts the number of virtual users on this platform. This is deduced by the number of users in the {{/etc/passwd}} file that use the program {{/usr/bin/false}} as their shell.

{code

:bgColor

=#ffcccc

|lang

=perl

}
sub count_virtual_users {
  my $result = 0;
  $/ = ":";
  open( PASSWD, "<", "/etc/passwd");
  while (<PASSWD>) {
    @items = split "\n";
    foreach (@items) {
      if ($_ eq "/usr/bin/false") {
        $result++;
      }
    }
  }
  $result;
}
{code}

This program produces the correct result, however it leaves the {{$/}} variable set to an unusual value ({{:}}).  Subsequent reads of any file will use this character as the end-of-line delimiter, rather than the typical newline, which is the default value.


h2.

 Compliant Solution

This compliant solution again produces the same result, but localizes the punctuation variable. Consequently, when the subroutine returns, the {{$/}} variable is restored to its original value, and subsequent file reads behave as expected.

{code

:bgColor

=#ccccff

|lang

=perl

}
sub count_virtual_users {
  my $result = 0;
  local $/ = ":";
  open( PASSWD, "<", "/etc/passwd");
  while (<PASSWD>) {
    @items = split "\n";
    foreach (@items) {
      if ($_ eq "/usr/bin/false") {
        $result++;
      }
    }
  }
  $result;
}

{code}


h2. Exceptions

*DCL02-EX0*: This rule does not apply to object methods. Object methods are easy for the parser to distinguish from builtin functions or keywords due to their distinct syntax.

h3. Related Guidelines

[cplusplus:CERT C++ Secure Coding Standard]: [cplusplus:DCL32-CPP. Do not declare or define a reserved identifier

]
[seccode:CERT C Secure Coding Standard]: [seccode:DCL37-C. Do not declare or define a reserved

 identifier] 

h2. Exceptions

The following global variables may be modified without being declared {{local}}:

| $_ | $ARG   |            |
| @_ | @ARG   |            |
| $! | $ERRNO | $OS_ERROR  |
|    | %ENV   | $ENV{expr} |
|    | %SIG   | $SIG{expr} |
|    | %INC   |            |


h2. Risk Assessment

Modifying punctuation variables without declaring them local can corrupt data and create unexpected program behavior.

|| Recommendation || Severity || Likelihood || Remediation Cost || Priority || Level ||
| DCL02-PL | low | probable | medium | {color:green}P2{color}  | {color:green}L3{color}  |

h2. Automated Detection

|| Tool || Diagnostic ||
| Perl::Critic | Variables::RequireLocalizedPunctuationVars |

h2. Bibliography

\[[CPAN|AA. Bibliography#CPAN]\] [Elliot Shank, Perl-Critic-1.116|http://search.cpan.org/~elliotjs/Perl-Critic-1.116/] [Variables::RequireLocalizedPunctuationVars|http://search.cpan.org/dist/Perl-Critic/lib/Perl/Critic/Policy/Variables/RequireLocalizedPunctuationVars.pm]
\[[Wall 2011|AA. Bibliography#Manpages]\] [perlfunc|http://perldoc.perl.org/perlfunc.html], [perlvar|http://perldoc.perl.org/perlvar.html] 

----
[!CERT Perl Secure Coding Standard^button_arrow_left.png!|DCL30-PL. Do not import deprecated modules]      [!CERT Perl Secure Coding Standard^button_arrow_up.png!|01. Declarations and Initialization]      [!CERT Perl Secure Coding Standard^button_arrow_right.png!|DCL32-PL. Every module must return a true value]