...
Perl
...
has
...
a
...
large
...
number
...
of
...
punctuation
...
variables.
...
They
...
control
...
the
...
behavior
...
of
...
various
...
operations
...
in
...
the
...
Perl
...
interpreter.
...
While
...
they
...
are
...
initially
...
set
...
to
...
reasonable
...
default
...
values,
...
any
...
Perl
...
code
...
has
...
the
...
ability
...
to
...
change
...
their
...
values
...
for
...
its
...
own
...
internal
...
purposes.
...
If
...
a
...
program
...
modifies
...
one
...
of
...
these
...
variables,
...
it
...
is
...
obligated
...
to
...
reset
...
the
...
variable
...
back
...
to
...
its
...
default
...
value,
...
lest
...
it
...
alter
...
the
...
behavior
...
of
...
subsequent
...
unrelated
...
code.
...
The
...
easiest
...
way
...
for
...
a
...
program
...
to
...
'clean
...
up
...
after
...
itself'
...
is
...
to
...
declare
...
such
...
variables
...
local
...
when
...
modifying
...
them.
...
Noncompliant Code Example
This noncompliant code example shows a subroutine that counts the number of virtual users on this platform. This is deduced by the number of users in the /etc/passwd file that use the program /usr/bin/false
...
as
...
their
...
shell.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| =
| |
| =
| |||||||
} sub count_virtual_users { my $result = 0; $/ = ":"; open( PASSWD, "<", "/etc/passwd"); while (<PASSWD>) { @items = split "\n"; foreach (@items) { if ($_ eq "/usr/bin/false") { $result++; } } } $result; } {code} |
This
...
program
...
produces
...
the
...
correct
...
result,
...
however
...
it
...
leaves
...
the
...
$/
...
variable
...
set
...
to
...
an
...
unusual
...
value
...
(
...
:
...
).
...
Subsequent
...
reads
...
of
...
any
...
file
...
will
...
use
...
this
...
character
...
as
...
the
...
end-of-line
...
delimiter,
...
rather
...
than
...
the
...
typical
...
newline,
...
which
...
is
...
the
...
default
...
value.
Compliant Solution
This compliant solution again produces the same result, but localizes the punctuation variable. Consequently, when the subroutine returns, the $/ variable is restored to its original value, and subsequent file reads behave as expected.
| Code Block | ||||
|---|---|---|---|---|
| ||||
h2. Compliant Solution This compliant solution again produces the same result, but localizes the punctuation variable. Consequently, when the subroutine returns, the {{$/}} variable is restored to its original value, and subsequent file reads behave as expected. {code:bgColor=#ccccff|lang=perl} sub count_virtual_users { my $result = 0; local $/ = ":"; open( PASSWD, "<", "/etc/passwd"); while (<PASSWD>) { @items = split "\n"; foreach (@items) { if ($_ eq "/usr/bin/false") { $result++; } } } $result; } {code} h2. Exceptions * |
Exceptions
DCL02-EX0
...
:
...
The
...
following
...
global
...
variables
...
may
...
be
...
modified
...
without
...
being
...
declared
...
local
...
:
$_ |
...
$ARG |
| |
@_ | @ARG |
|
$! | $ERRNO | $OS_ERROR |
| %ENV | $ENV{expr} |
| %SIG | $SIG{expr} |
| %INC |
|
Risk Assessment
Modifying punctuation variables without declaring them local can corrupt data and create unexpected program behavior.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DCL02-PL | low | probable | medium | P2 | L3 |
Automated Detection
Tool | Diagnostic |
|---|---|
Perl::Critic | Variables::RequireLocalizedPunctuationVars |
Bibliography
| Wiki Markup |
|---|
\[[CPAN|AA. Bibliography#CPAN]\] [Elliot Shank, Perl-Critic-1.116|http://search.cpan.org/~elliotjs/Perl-Critic-1.116/] [Variables::RequireLocalizedPunctuationVars|http://search.cpan.org/dist/Perl-Critic/lib/Perl/Critic/Policy/Variables/RequireLocalizedPunctuationVars.pm]
\[[Wall 2011|AA. Bibliography#Manpages]\] [perlfunc|http://perldoc.perl.org/perlfunc.html], [perlvar|http://perldoc.perl.org/perlvar.html] |
...
...
01. Declarations and Initialization DCL32-PL.
...
...
...
...
...
...
...
...