Front page | perl.perl5.porters |
Postings from October 2003
This Week on perl5-porters (20-26 October 2003)
From:
Rafael Garcia-Suarez
Date:
October 27, 2003 04:52
Subject:
This Week on perl5-porters (20-26 October 2003)
Message ID:
20031027135120.7d93558b.rgarciasuarez@free.fr
This Week on perl5-porters (20-26 October 2003)
This week, several threads raised concerns with tainting. Plan C for
randomized hashes was successful. The language issues with constant
subroutines were discussed. Bugs were found, some of which were fixed ;
some others were dismissed as "features". Quite an usual week for the
Perl 5 porters.
Taint propagation
Nicholas Clark files bug #24248, about tainting not being propagated
properly. This is a regression in perl 5.8.1, that wasn't spotted by the
regression tests. He provides a code example where $1 ends up being
tainted, but where a copy of $1 looses tainting. Rick Delaney follows up
with some questions, regarding the precise interpretation of perlsec,
where it's asserted that "the presence of tainted data anywhere within
an expression renders the entire expression tainted".
http://xrl.us/yud
Besides this, Rafael added a test.taintwarn target to perl's makefile,
to run perl's test suite with taint warnings enabled. At a glance, lots
of tests break, but that's due to the additional warnings being reported
where they're not expected.
Constant subroutines
Bug #24250 started a long thread. It describes that a closure of the
form :
sub () { $count; }
where $count is a lexical variable, doesn't behave "properly", i.e. not
as if the body of the closure included an explicit "return" statement.
Dave Mitchell explains that perl turned this closure in a constant
subroutine (due to the empty prototype). This happens since perl 5.8.0,
and is considered as feature, although an undocumented and surprising
one. It's actually used in the "constant" module.
At some point, Dave proposed to introduce a ":constant" subroutine
attribute, the current constant subroutine syntax feeling like a
non-intuitive language hack, that should be deprecated.
http://xrl.us/yue
Threads and memory leakage
Jack Steadman reported in perl 5.8.1 a case of memory leak related to
threads (bug #24255), which was undiscovered until now. It was fixed by
Dave Mitchell ; but Jack then posted another example causing another
kind of leak.
http://xrl.us/yuf
if's version
The CPAN currently holds the version 0.01000001 of the "if" pragma,
while the core comes with version 0.03. Autrijus Tang asked Ilya
Zakharevich to release an updated version, because the CPAN version has
bugs : it cannot deal with the "open" pragma for example. This led to a
discussion about proper version numbering and backward compatibility for
dual-lived perl modules.
http://xrl.us/yug
The :raw layer
Gisle Aas asks why the statement
open my $fh, "<:raw", \$scalar
always fails. Rafael begins to explain that ":raw" pops off other
layers, but it turns out that a more subtle bug is occurring here.
http://xrl.us/yuh
Removing magic from %ENV
Ton Hospel reported (bug #24291) that aliasing the ENV glob makes %ENV
lose magic : thus assigning to an %ENV key doesn't alter the program's
environment.
Rafael says that it's to be expected. (However, perl didn't handle this
case gracefully, producing random coredumps. This was later fixed by
Rafael.) But the potential security hole remains : taint checks are done
against the contents of %ENV, not against the actual environment
variables, which are different when %ENV is aliased to another variable.
A solution is to forbid using an aliased %ENV when taint checks are
enabled.
http://xrl.us/yu3
In brief
Perl 5.8.1's binary compatibility issue has been solved by Nicholas.
(The fix is now part of Debian unstable.) Perl 5.8.2-to be now is able
to switch internally hashing algorithms when a hash grows too large not
uniformly.
Jos Boumans posted a program that uses the CPANPLUS API to detect which
core modules are outdated in respect to their CPAN versions.
http://xrl.us/yui
Steve Hay asks for a way to know, from a perl program, to know whether
the used perl has been built with -DDEBUGGING.
http://xrl.us/yuj
Ton Hospel produces an "Attempt to free unreferenced scalar" in 22
characters. (Bug #24254.)
Steve Grazzini reports that if you use @& before $& in a Perl program
with perl 5.8, then $& loses its magic. This used to work correctly, but
the old behaviour was to set PL_sawampersand (and its performance
penalties) unnecessarily. (Bug #24237.)
Uri Guttman proposed to include File::Slurp (or a module with a similar
functionality) into the core. Several people liked the idea, (some of
which had concerns with the API or the module name), others felt that it
was not meeting the criteria to become a core module (the core being
already bloated enough.)
Robert Spier introduces metabugs to the crew :
http://xrl.us/yuc
*Last minute* : Hugo released perl 5.9.0, the first development version
after 5.8.0.
About this summary
This week was summarized by Rafael Garcia-Suarez. Summaries are
published weekly on http://use.perl.org/ and on a mailing list, which
subscription address is perl5-summary-subscribe@perl.org. Corrections,
comments, etc. are welcome.
-
This Week on perl5-porters (20-26 October 2003)
by Rafael Garcia-Suarez