The `open` function used on untrusted input allows arbitrary code execution...
... only if you use the insecure open form. The secure open form has been available and recommended since the release of Perl 5.6.0 in March 2000--twelve years ago.
People who write insecure code, when the language makes it just as easy to write secure code, are to blame for insecure code.
Can you name a practical language in which it's not possible, by default, to perform an unsafe operation with untrusted user input?
I can easily use Haskell's type system to disallow the use of UnsafeUserInput in my database abstraction layer, but that requires me to use my types pervasively and correctly.
... only if you use the insecure open form. The secure open form has been available and recommended since the release of Perl 5.6.0 in March 2000--twelve years ago.
People who write insecure code, when the language makes it just as easy to write secure code, are to blame for insecure code.