develooper Front page | perl.perl5.porters | Postings from February 2000

Re: [PATCH] myriad bugs in std modules, w/ security problems

Thread Previous | Thread Next
Gurusamy Sarathy
February 27, 2000 15:07
Re: [PATCH] myriad bugs in std modules, w/ security problems
Message ID:
On Sun, 27 Feb 2000 14:42:27 MST, Tom Christiansen wrote:
>See the problem?  Here's a patch for File::Basename, but there are
>many more to go.  Anywhere that a pattern is applied to a filename,
>the pattern must be closely inspected, and the following measures
>    If you find a "." to mean "any character", the pattern must end
>    in /s.
>    If you find a "^" to mean "start of string", the pattern must
>    also end in /s, or the "^" altered to a "\A".
>    If you find a "$" to mean "end of string", the "$" altered to
>    a "\z".  Not "\Z", but "\z".

But \z doesn't appear to work properly. :-(

    % ./perl -we 'print "[$1]\n" if "foo\n" =~ /(.+)\z/'
    % ./perl -we 'print "[$1]\n" if "foo\n" =~ /(.+)\z/s'
    % ./perl -we 'print "[$1]\n" if "foo\n" =~ /(.+)$/s'

So \z only appears to work when /s is specified, but $ works the
same with /s.  What good is \z then, I wonder?

I guess $ would be different from \z when there's something after $
that can match the newline, but then, even that doesn't seem to work.

    % ./perl -we 'print "[$1]\n" if "foo\n" =~ /(.*)$\n/'

Hmm.  Oh, that appears to be parsed as C<"(.*)" . ${\} . "n">.  Putting
a space between the $ and the \ makes it work.

    % ./perl -we 'print "[$1]\n" if "foo\n" =~ /(.*)$ \n/x'

Another issue with \z: /foo\z\n/ should never match, but why isn't it
a compile-time error?

>In fact, it might be a good idea to just put /s on everything, but
>you still have the \z issue.

I'll say.

>This is *seriously* bad.  Not only did the perl version miss the
>stuff hidden in "..\n" directory, it proceeded to run back up the
>Here's File::Basename.  I've got to back to some other stuff now.
>There's a lot to be fixed.  The standard Perl libraries need to all
>be subjected to a complete code inspection for these issues.  

I don't think we can use \z until it actually works.


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About