You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Do not use deprecated or obsolescent functions when more secure equivalent functions are available.

Here is a list of deprecated functions, along with their recommended alternatives, if available:

Deprecated

Preferred

UNIVERSAL::can()

object.can() method

UNIVERSAL::isa()

object.isa() method

die()

Carp::croak()

warn()

Carp::carp()

-t

IO::Interactive

format()

Template, Perl6::Form

Noncompliant Code Example (die())

This noncompliant code example tries to open a file, and invokes the obsolete die() method if it fails.

my $file;
open(FILE, "<", $file) or die "error opening $file: stopped";
# ...

The die() method is considered deprecated, as it prints the file name and line number in which it was invoked. This might be sensitive information.

Compliant Solution (croak())

This compliant colution uses the croak() function instead of die().

use Carp;

my $file;
open(FILE, "<", $file) or croak "error opening $file: stopped";
# ...

Unlike, die(), croak() provides the filename and line number of the function that invoked the function that invoked croak(). This is more useful for application code that invokes library code; in this case croak() and carp() also will reveal the file name and line number of the application code rather than the library code.

Risk Assessment

Failure to handle error codes or other values returned by functions can lead to incorrect program flow and violations of data integrity.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

EXP30-PL

info

probable

low

P12

L1

Automated Detection

Tool

Diagnostic

Perl::Critic

BuiltinFunctions::ProhibitUniversalCan

 

BuiltinFunctions::ProhibitUniversalIsa

 

ErrorHandling::RequireCarping

 

InputOutput::ProhibitInteractiveTest

 

Miscellanea::ProhibitFormats

Related Guidelines

CERT C Secure Coding Standard: MSC34-C. Do not use deprecated or obsolescent functions

The CERT Oracle Secure Coding Standard for Java: MET02-J. Do not use deprecated or obsolete classes or methods

Bibliography

open()
CPAN Elliot Shank, Perl-Critic-1.116, ProhibitUniversalCan, ProhibitUniversalIsa, RequireCarping, InteractiveTest, ProhibitFormats


EXP11-C. Do not apply operators expecting one type to data of an incompatible type      03. Expressions (EXP)      EXP13-C. Treat relational and equality operators as if they were nonassociative

  • No labels