develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
Jan Dubois
October 1, 2012 17:55
Re: Security Issues in perl-5.16.x
Message ID:

On 2012-10-01, at 5:11 PM, Jesse Luehrs <> wrote:
> Just because your patches were applied doesn't mean that they were
> *security* bugs. I agree that it's probably a bug that 'require
> "\0bar"' sets $INC{"\0bar"} instead of $INC{""}, and I
> think it probably should be fixed, but I still haven't seen any evidence
> that this is a *security* bug. There is a difference.

Why? %INC contains the filename in exactly the same format as you
specified it in the require statement:

$ perl -E 'require ""; /foo/ && say for keys %INC'
$ perl -E 'require "./"; /foo/ && say for keys %INC'
$ perl -E 'require "../jan/"; /foo/ && say for keys %INC'
$ perl -E 'require "\"; /foo/ && say for keys %INC'

What makes the last one special, so that it needs to be "normalized",
but the other 3 can be left as-is?  %INC is just a heuristic to try to prevent
the same file from being compiled multiple times.  It is easily fooled too:

$ echo 'print "hi\n"' >
$ perl -E 'require ""; require "./"; /foo/ && say for keys %INC'

To me this is not a bug, just a limitation of the optimization.

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About