From c18065ea52c56b1503077376d135cb6859193946 Mon Sep 17 00:00:00 2001
From: LCD 47 <lcd047@gmail.com>
Date: Mon, 3 Mar 2014 09:43:14 +0200
Subject: [PATCH] Security: disable the perl checker by default.

---
 README.markdown               | 25 ++++++++++++-------------
 plugin/syntastic/registry.vim |  2 +-
 syntax_checkers/perl/perl.vim | 31 ++++++++++++++++++++++++++-----
 3 files changed, 39 insertions(+), 19 deletions(-)

diff --git a/README.markdown b/README.markdown
index fb4b8bb4..551a04c6 100644
--- a/README.markdown
+++ b/README.markdown
@@ -123,20 +123,18 @@ error output for a syntax checker may have changed. In this case, make sure you
 have the latest version of the syntax checker installed. If it still fails then
 create an issue - or better yet, create a pull request.
 
-__Q. Recently some of my syntax checker options have stopped working...__
+__Q. The `perl` checker has stopped working...__
 
-A. The options are still there, they have just been renamed. Recently,
-almost all syntax checkers were refactored to use the new `makeprgBuild()`
-function. This made a lot of the old explicit options redundant - as they are
-now implied. The new implied options usually have slightly different names to
-the old options.
-
-e.g. Previously there was `g:syntastic_phpcs_conf`, now you must use
-`g:syntastic_php_phpcs_args`. This completely overrides the arguments of
-the checker, including any defaults, so you may need to look up the default
-arguments of the checker and add these in.
-
-See `:help syntastic-checker-options` for more information.
+A. The `perl` checker runs `perl -c` against your file, which in turn
+__executes__ any `BEGIN`, `UNITCHECK`, and `CHECK` blocks, and any `use`
+statements in your file (cf. [perlrun][10]).  This is probably fine if you
+wrote the file yourself, but it's a security hazard if you're checking third
+party files.  Since there is currently no way to disable this behaviour while
+still producing useful results, the checker is now disabled by default.  To
+(re-)enable it, set `g:syntastic_enable_perl_checker` to 1 in your vimrc:
+```vim
+  let g:syntastic_enable_perl_checker = 1
+```
 
 __Q. I run a checker and the location list is not updated...__
 
@@ -245,3 +243,4 @@ a look at [jedi-vim][7], [python-mode][8], or [YouCompleteMe][9].
 [7]: https://github.com/davidhalter/jedi-vim
 [8]: https://github.com/klen/python-mode
 [9]: https://github.com/Valloric/YouCompleteMe
+[10]: http://perldoc.perl.org/perlrun.html#*-c*
diff --git a/plugin/syntastic/registry.vim b/plugin/syntastic/registry.vim
index d731fff2..60057f55 100644
--- a/plugin/syntastic/registry.vim
+++ b/plugin/syntastic/registry.vim
@@ -54,7 +54,7 @@ let s:defaultCheckers = {
         \ 'objc':        ['gcc'],
         \ 'objcpp':      ['gcc'],
         \ 'ocaml':       ['camlp4o'],
-        \ 'perl':        ['perl', 'perlcritic'],
+        \ 'perl':        ['perlcritic'],
         \ 'php':         ['php', 'phpcs', 'phpmd'],
         \ 'po':          ['msgfmt'],
         \ 'pod':         ['podchecker'],
diff --git a/syntax_checkers/perl/perl.vim b/syntax_checkers/perl/perl.vim
index f928ae98..2ac6ec98 100644
--- a/syntax_checkers/perl/perl.vim
+++ b/syntax_checkers/perl/perl.vim
@@ -11,6 +11,22 @@
 "
 "============================================================================
 "
+" Security:
+"
+" This checker runs 'perl -c' against your file, which in turn executes
+" any BEGIN, UNITCHECK, and CHECK blocks, and any use statements in
+" your file.  This is probably fine if you wrote the file yourself,
+" but it can be a problem if you're trying to check third party files.
+" If you are 100% willing to let Vim run the code in your file, set
+" g:syntastic_enable_perl_checker to 1 in your vimrc to enable this
+" checker:
+"
+"   let g:syntastic_enable_perl_checker = 1
+"
+" References:
+"
+" - http://perldoc.perl.org/perlrun.html#*-c*
+"
 " Checker options:
 "
 " - g:syntastic_perl_interpreter (string; default: 'perl')
@@ -24,11 +40,7 @@
 if exists('g:loaded_syntastic_perl_perl_checker')
     finish
 endif
-let g:loaded_syntastic_perl_perl_checker=1
-
-if !exists('g:syntastic_perl_interpreter')
-    let g:syntastic_perl_interpreter = 'perl'
-endif
+let g:loaded_syntastic_perl_perl_checker = 1
 
 if !exists('g:syntastic_perl_lib_path')
     let g:syntastic_perl_lib_path = []
@@ -38,6 +50,10 @@ let s:save_cpo = &cpo
 set cpo&vim
 
 function! SyntaxCheckers_perl_perl_IsAvailable() dict
+    if !exists('g:syntastic_perl_interpreter')
+        let g:syntastic_perl_interpreter = self.getExec()
+    endif
+
     " don't call executable() here, to allow things like
     " let g:syntastic_perl_interpreter='/usr/bin/env perl'
     silent! call system(syntastic#util#shexpand(g:syntastic_perl_interpreter) . ' -e ' . syntastic#util#shescape('exit(0)'))
@@ -45,6 +61,11 @@ function! SyntaxCheckers_perl_perl_IsAvailable() dict
 endfunction
 
 function! SyntaxCheckers_perl_perl_GetLocList() dict
+    if !exists('g:syntastic_enable_perl_checker') || !g:syntastic_enable_perl_checker
+        call syntastic#log#error('checker perl/perl: checks disabled for security reasons; set g:syntastic_enable_perl_checker to 1 to override')
+        return []
+    endif
+
     let exe = expand(g:syntastic_perl_interpreter)
     if type(g:syntastic_perl_lib_path) == type('')
         call syntastic#log#deprecationWarn('variable g:syntastic_perl_lib_path should be a list')