develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
Aristotle Pagaltzis
Date:
October 1, 2012 18:33
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
20121002013321.GB31092@fernweh.plasmasturm.org
* Reini Urban <rurban@x-ray.at> [2012-10-02 03:05]:
> There is no need at all to allow \0 in names at all, and \0 being
> passed to system ops need to caught. There cannot be any \0 in
> usernames, group names, filenames, dir names and such. People know
> about strings but not about names.

Is there any reason for interfaces to NUL-sensitive syscalls not to
always check and die if they’re asked to pass a string that contains
NULs? The way I see it, regardless of whether there even are security
implications or not, Perl is being asked to do something it cannot. To
my mind it should give up and tell the user that, instead of silently
doing some proximate other thing.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About