develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
Chip Salzenberg
Date:
October 1, 2012 21:51
Subject:
Re: Re: Security Issues in perl-5.16.x
Message ID:
CANSL5VGnjauzWvzwsD25cpeATApS5Oapm3F2YzWKG1RhDkBX3A@mail.gmail.com
On Mon, Oct 1, 2012 at 1:24 PM, chromatic <chromatic@wgz.org> wrote:
> In some modules (including core modules), you can inject arbitrary code into a
> process by crafting the correct environment variable.
>
> Sure, you have problems if I'm able to modify your environment variables, but
> how often do you audit your environment variables to see if I can exploit your
> Perl?

Shirley you can't be serious.  Environment variable control is
fundamental, going back to the early days of Unix and exploits
involving PATH and IFS .  You may as well ask whether we sanitize or
escape user data to avoid XSS.

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About