develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
Jesse Luehrs
October 2, 2012 16:32
Re: Security Issues in perl-5.16.x
Message ID:
On Wed, Oct 03, 2012 at 01:28:00AM +0200, demerphq wrote:
> On 3 October 2012 01:10, Chip Salzenberg <> wrote:
> > On Mon, Oct 1, 2012 at 11:56 PM, Aristotle Pagaltzis <> wrote:
> >> * Chip Salzenberg <> [2012-10-02 07:05]:
> >>> If you meant only to restrict only strings handed to require and do
> >>> FILE, I would not fork Perl for that. Of course I would still hold
> >>> you in derision for demanding it, given its utter uselessness; and
> >>> I would enthusiastically mock anyone who decided to go along with you.
> >>> But I wouldn't fork Perl.
> >>
> >> Just because? Or do you have any use for that?
> >
> > I do have a use.  For the first example off the top of my head, I've
> > made some spam-fighting software that uses packed IPv4 addresses as
> > hash keys.  Those have NULs in them for sure.
> >
> > I truly can't believe this is a question.  Strings can have NULs in
> > them.  Hash keys are strings...
> I personally have not read any of this discussion as suggesting that
> hash keys in general should not be allowed to contain nulls. To me
> that is so obviously ridiculous that I think we can assume that no-one
> is suggesting it.
> The interpretation I have is that people think we should not end up
> with package names that contain nulls, which seems to me to be a much
> more reasonable request.

The point that Chip is making is: how would you propose stopping package
names from containing nulls? Packages are just hashes internally.
Should all packages get set uvar magic that dies if the key contains a
null or something like that? That seems pretty ugly. I don't see
anything wrong with package names (keys in a stash) containing nulls,
although having system calls die when they are given a string containing
a null could potentially be a good idea.


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About