develooper Front page | perl.perl5.porters | Postings from March 2011

Re: RFC: security Issues with user-defined \p{} properties

From:
demerphq
Date:
March 12, 2011 09:17
Subject:
Re: RFC: security Issues with user-defined \p{} properties
Message ID:
AANLkTik8Nza0NRWzRAm8k7rwFhNLT2jSs_1+Dffrky_F@mail.gmail.com
On 16 January 2011 15:39, Dave Mitchell <davem@iabyn.com> wrote:
> On Mon, Nov 15, 2010 at 03:56:57PM +0000, Dave Mitchell wrote:
>
> [snip long thread about security of \p{UserDefined}]
>
>> I suggest two things.
>>
>> The first I think is a no-contest:
>>
>> enable taint checks on \p{...} strings.
>>
>> Anyone disagree?
>>
>> The second is to restrict user-defined properties to only match 'In' and
>> 'Is' subs, as is documented. This will break some people's code, but will
>> greatly reduce the number of possible subs that match.
>>
>> After implementing these two, we can then at our leisure decide how to
>> re-implement the feature with the right scopes, packages etc.
>
> The In/Is thing is now in as commit
> d658a8a81c4f311bef688fd51df924a424429f14

And you did the taint checkking too I see:

commit 0e9be77f0cd6452aaea65088e06f647e82aca5e8
Author: David Mitchell <davem@iabyn.com>
Date:   Tue Feb 22 16:28:20 2011 +0000

    make /\p{isUserDefined}/ die on taint

    If the string which contains the name of a user-defined character property
    function is tainted, then die rather than calling that function.
    See [perl #82616].

Thanks. (Just adding to the thread because I didnt see it mentioned elsewhere).

-- 
perl -Mre=debug -e "/just|another|perl|hacker/"



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About