develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
Reini Urban
October 1, 2012 19:05
Re: Security Issues in perl-5.16.x
Message ID:
On Mon, Oct 1, 2012 at 9:00 PM, demerphq <> wrote:
> On 2 October 2012 03:44, Reini Urban <> wrote:
>> On Mon, Oct 1, 2012 at 8:33 PM, Aristotle Pagaltzis <> wrote:
>>> * Reini Urban <> [2012-10-02 03:05]:
>>>> There is no need at all to allow \0 in names at all, and \0 being
>>>> passed to system ops need to caught. There cannot be any \0 in
>>>> usernames, group names, filenames, dir names and such. People know
>>>> about strings but not about names.
>>> Is there any reason for interfaces to NUL-sensitive syscalls not to
>>> always check and die if they’re asked to pass a string that contains
>>> NULs? The way I see it, regardless of whether there even are security
>>> implications or not, Perl is being asked to do something it cannot. To
>>> my mind it should give up and tell the user that, instead of silently
>>> doing some proximate other thing.
>> Exactly.
>> This argument was in the past always ignored and left over to
>> additional modules.
>> This gives a bad reputation to perl as language.
> Perl never promised to save anyone from shooting their foot off, quite
> the opposite. That is very different from someone diligent being
> vulnerable because they use Perl due to a bug in Perl.
> So far you haven't shown the latter and this conversation sounds like
> FUD motivated by the p5p community not doing what you want us to do.

It may sound like FUD to you because you failed to see the issues I pointed out.
6 of 8 were already fixed, so no FUD. For the two remaining ones time will tell,
or someone else will be able to explain it to you.

Sorry, I might not be a good explainer.
Reini Urban

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About