develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
Reini Urban
Date:
October 1, 2012 18:44
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
CAHiT=DHLbRFu=GsPGvYOpagpWKMngj2UdSi9sJya=yYpKbfTyg@mail.gmail.com
On Mon, Oct 1, 2012 at 8:33 PM, Aristotle Pagaltzis <pagaltzis@gmx.de> wrote:
> * Reini Urban <rurban@x-ray.at> [2012-10-02 03:05]:
>> There is no need at all to allow \0 in names at all, and \0 being
>> passed to system ops need to caught. There cannot be any \0 in
>> usernames, group names, filenames, dir names and such. People know
>> about strings but not about names.
>
> Is there any reason for interfaces to NUL-sensitive syscalls not to
> always check and die if they’re asked to pass a string that contains
> NULs? The way I see it, regardless of whether there even are security
> implications or not, Perl is being asked to do something it cannot. To
> my mind it should give up and tell the user that, instead of silently
> doing some proximate other thing.

Exactly.

This argument was in the past always ignored and left over to
additional modules.
This gives a bad reputation to perl as language.
-- 
Reini Urban
http://cpanel.net/   http://www.perl-compiler.org/

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About