develooper Front page | perl.perl5.porters | Postings from March 2011

Re: RFC: security Issues with user-defined \p{} properties

March 12, 2011 09:17
Re: RFC: security Issues with user-defined \p{} properties
Message ID:
On 16 January 2011 15:39, Dave Mitchell <> wrote:
> On Mon, Nov 15, 2010 at 03:56:57PM +0000, Dave Mitchell wrote:
> [snip long thread about security of \p{UserDefined}]
>> I suggest two things.
>> The first I think is a no-contest:
>> enable taint checks on \p{...} strings.
>> Anyone disagree?
>> The second is to restrict user-defined properties to only match 'In' and
>> 'Is' subs, as is documented. This will break some people's code, but will
>> greatly reduce the number of possible subs that match.
>> After implementing these two, we can then at our leisure decide how to
>> re-implement the feature with the right scopes, packages etc.
> The In/Is thing is now in as commit
> d658a8a81c4f311bef688fd51df924a424429f14

And you did the taint checkking too I see:

commit 0e9be77f0cd6452aaea65088e06f647e82aca5e8
Author: David Mitchell <>
Date:   Tue Feb 22 16:28:20 2011 +0000

    make /\p{isUserDefined}/ die on taint

    If the string which contains the name of a user-defined character property
    function is tainted, then die rather than calling that function.
    See [perl #82616].

Thanks. (Just adding to the thread because I didnt see it mentioned elsewhere).

perl -Mre=debug -e "/just|another|perl|hacker/" Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About