develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
Reini Urban
Date:
October 1, 2012 19:05
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
CAHiT=DEBMSuGY-Dx_gcmi5jgB8P4RAav2appQihGMqrHRUJUcw@mail.gmail.com
On Mon, Oct 1, 2012 at 9:00 PM, demerphq <demerphq@gmail.com> wrote:
> On 2 October 2012 03:44, Reini Urban <rurban@x-ray.at> wrote:
>> On Mon, Oct 1, 2012 at 8:33 PM, Aristotle Pagaltzis <pagaltzis@gmx.de> wrote:
>>> * Reini Urban <rurban@x-ray.at> [2012-10-02 03:05]:
>>>> There is no need at all to allow \0 in names at all, and \0 being
>>>> passed to system ops need to caught. There cannot be any \0 in
>>>> usernames, group names, filenames, dir names and such. People know
>>>> about strings but not about names.
>>>
>>> Is there any reason for interfaces to NUL-sensitive syscalls not to
>>> always check and die if they’re asked to pass a string that contains
>>> NULs? The way I see it, regardless of whether there even are security
>>> implications or not, Perl is being asked to do something it cannot. To
>>> my mind it should give up and tell the user that, instead of silently
>>> doing some proximate other thing.
>>
>> Exactly.
>>
>> This argument was in the past always ignored and left over to
>> additional modules.
>> This gives a bad reputation to perl as language.
>
> Perl never promised to save anyone from shooting their foot off, quite
> the opposite. That is very different from someone diligent being
> vulnerable because they use Perl due to a bug in Perl.
>
> So far you haven't shown the latter and this conversation sounds like
> FUD motivated by the p5p community not doing what you want us to do.

It may sound like FUD to you because you failed to see the issues I pointed out.
6 of 8 were already fixed, so no FUD. For the two remaining ones time will tell,
or someone else will be able to explain it to you.

Sorry, I might not be a good explainer.
-- 
Reini Urban
http://cpanel.net/   http://www.perl-compiler.org/

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About