SEI CERT Perl Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 14

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 15

changes.mady.by.user Brendan Saulsbury

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Automated update-Scrapy V0.1 Fixing Navigation links Automatic Nagivation Script

Do not use deprecated or obsolescent functions when more secure equivalent functions are available.

Here is a list of deprecated functions along with their recommended alternatives if available:

Deprecated

Preferred

die()

Carp::croak()

warn()

Carp::carp()

-t

IO::Interactive

format()

Template, Perl6::Form

Noncompliant Code Example (die())

This noncompliant code example tries to open a file and invokes the obsolete die() method if it fails.

Code Block
bgColor#ffcccc
langperl
my $file;
open(FILE, "<", $file) or die "error opening $file: stopped";
# work with FILE

The die() method is considered deprecated because it prints the file name and line number in which it was invoked. This might be sensitive information.

Compliant Solution (croak())

This compliant solution uses the croak() function instead of die().

Code Block
bgColor#ccccff
langperl
use Carp;

my $file;
open(FILE, "<", $file) or croak "error opening $file: stopped";
# work with FILE

Unlike die(), croak() provides the file name and line number of the function that invoked the function that invoked croak(). This is more useful for application code that invokes library code; in this case, croak() and carp() also will reveal the file name and line number of the application code rather than the library code.

Risk Assessment

Using deprecated or obsolete classes or methods in program code can lead to erroneous behavior.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

EXP30-PL

info

probable

low

P12

L1

Automated Detection

Tool

Diagnostic

Perl::Critic

ErrorHandling::RequireCarping

 

InputOutput::ProhibitInteractiveTest

 

Miscellanea::ProhibitFormats

Related Guidelines

CERT C Secure Coding Standard: MSC34-C. Do not use deprecated or obsolescent functions

The CERT Oracle Secure Coding Standard for Java: MET02-J. Do not use deprecated or obsolete classes or methods

Bibliography

Wiki Markup
\[[CPAN|AA. Bibliography#CPAN]\] [Elliot Shank, Perl-Critic-1.116|http://search.cpan.org/~elliotjs/Perl-Critic-1.116/] [RequireCarping|http://search.cpan.org/~elliotjs/Perl-Critic-1.116/lib/Perl/Critic/Policy/ErrorHandling/RequireCarping.pm], [InteractiveTest|http://search.cpan.org/~elliotjs/Perl-Critic-1.116/lib/Perl/Critic/Policy/InputOutput/ProhibitInteractiveTest.pm], [ProhibitFormats|http://search.cpan.org/~elliotjs/Perl-Critic-1.116/lib/Perl/Critic/Policy/Miscellanea/ProhibitFormats.pm]
\[[Conway 2005|AA. Bibliography#Conway 2005]\]

      02. Expressions      EXP31-PL. Do not use the two-argument form of open()