develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
demerphq
Date:
October 1, 2012 19:00
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
CANgJU+UUFjdUc3QCMEkAq+c2OEpbLtxOxtpEBMidFBacKNJg0Q@mail.gmail.com
On 2 October 2012 03:44, Reini Urban <rurban@x-ray.at> wrote:
> On Mon, Oct 1, 2012 at 8:33 PM, Aristotle Pagaltzis <pagaltzis@gmx.de> wrote:
>> * Reini Urban <rurban@x-ray.at> [2012-10-02 03:05]:
>>> There is no need at all to allow \0 in names at all, and \0 being
>>> passed to system ops need to caught. There cannot be any \0 in
>>> usernames, group names, filenames, dir names and such. People know
>>> about strings but not about names.
>>
>> Is there any reason for interfaces to NUL-sensitive syscalls not to
>> always check and die if they’re asked to pass a string that contains
>> NULs? The way I see it, regardless of whether there even are security
>> implications or not, Perl is being asked to do something it cannot. To
>> my mind it should give up and tell the user that, instead of silently
>> doing some proximate other thing.
>
> Exactly.
>
> This argument was in the past always ignored and left over to
> additional modules.
> This gives a bad reputation to perl as language.

Perl never promised to save anyone from shooting their foot off, quite
the opposite. That is very different from someone diligent being
vulnerable because they use Perl due to a bug in Perl.

So far you haven't shown the latter and this conversation sounds like
FUD motivated by the p5p community not doing what you want us to do.

Yves




-- 
perl -Mre=debug -e "/just|another|perl|hacker/"

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About