develooper Front page | perl.perl5.porters | Postings from February 2011

Re: [perl #82616] security Issues with user-defined \p{} properties

Thread Previous | Thread Next
From:
Dave Mitchell
Date:
February 22, 2011 08:37
Subject:
Re: [perl #82616] security Issues with user-defined \p{} properties
Message ID:
20110222163727.GC2883@iabyn.com
On Sat, Jan 22, 2011 at 07:12:51AM -0800, Dave Mitchell wrote:
> This is a placeholder for the issues related to \p{UserDefined} being
> too generous in calling functions.  
> For more details, see the p5p thread beginning at message-id:
> 
>     <4CD4336F.9000801@khwilliamson.com>

I have now added a taint check for the property function name with commit
0e9be77f0cd6452aaea65088e06f647e82aca5e8.

This means we now have the following new restrictions:

* only call the function if its name begins with In or Is
* don't call the function if its name is tainted

There doesn't seem to be any consensus yet on what other measures, if any,
to take.


-- 
All wight. I will give you one more chance. This time, I want to hear
no Wubens. No Weginalds. No Wudolf the wed-nosed weindeers.
    -- Life of Brian

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About