From 23dedd4b0c607716a03e495c9a1677df5794dd4d Mon Sep 17 00:00:00 2001
From: Guillem Jover <gjover@sipwise.com>
Date: Mon, 28 Jan 2019 15:38:11 +0100
Subject: [PATCH] TT#50954 Disable perlcritic's
 InputOutput::ProhibitExplicitStdin policy

This policy is giving bad advice. The <> operator is security unsafe, as
it interprets filenames as if passed to the two-form open function,
which means it can do code injection via crafted filenames.

While reading from <STDIN> directly might not always be correct, its
consequences are far milder than the damage inflicted by the diamond
operator.

Change-Id: I0fdf097be3b5e2a3a483f2e5d80f4fdb1f17911b
---
 t/tap-tests-docker/perlcriticrc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/t/tap-tests-docker/perlcriticrc b/t/tap-tests-docker/perlcriticrc
index df9de1c..fda7dc4 100644
--- a/t/tap-tests-docker/perlcriticrc
+++ b/t/tap-tests-docker/perlcriticrc
@@ -68,6 +68,9 @@ severity = 4
 # XXX: Perhaps. Enable per project.
 [-InputOutput::RequireBriefOpen]
 
+# Wrong. This recommends using the unsafe <>/<ARGV> operator.
+[-InputOutput::ProhibitExplicitStdin]
+
 # Depends on existing APIs, might break too much code. Enable per project.
 [-Modules::ProhibitAutomaticExportation]