develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
demerphq
Date:
October 2, 2012 16:40
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
CANgJU+WDBgN88CYv4qwL-Oi4GfR1pipemZ1_HgdAw-bwMF599g@mail.gmail.com
On 3 October 2012 01:32, Jesse Luehrs <doy@tozt.net> wrote:
> On Wed, Oct 03, 2012 at 01:28:00AM +0200, demerphq wrote:
>> On 3 October 2012 01:10, Chip Salzenberg <rev.chip@gmail.com> wrote:
>> > On Mon, Oct 1, 2012 at 11:56 PM, Aristotle Pagaltzis <pagaltzis@gmx.de> wrote:
>> >> * Chip Salzenberg <rev.chip@gmail.com> [2012-10-02 07:05]:
>> >>> If you meant only to restrict only strings handed to require and do
>> >>> FILE, I would not fork Perl for that. Of course I would still hold
>> >>> you in derision for demanding it, given its utter uselessness; and
>> >>> I would enthusiastically mock anyone who decided to go along with you.
>> >>> But I wouldn't fork Perl.
>> >>
>> >> Just because? Or do you have any use for that?
>> >
>> > I do have a use.  For the first example off the top of my head, I've
>> > made some spam-fighting software that uses packed IPv4 addresses as
>> > hash keys.  Those have NULs in them for sure.
>> >
>> > I truly can't believe this is a question.  Strings can have NULs in
>> > them.  Hash keys are strings...
>>
>> I personally have not read any of this discussion as suggesting that
>> hash keys in general should not be allowed to contain nulls. To me
>> that is so obviously ridiculous that I think we can assume that no-one
>> is suggesting it.
>>
>> The interpretation I have is that people think we should not end up
>> with package names that contain nulls, which seems to me to be a much
>> more reasonable request.
>
> The point that Chip is making is: how would you propose stopping package
> names from containing nulls?

That is a charitable interpretation of Chips mail, but is contradicted
by the example he gave which had nothing to do with package names.

> Packages are just hashes internally.
> Should all packages get set uvar magic that dies if the key contains a
> null or something like that? That seems pretty ugly. I don't see
> anything wrong with package names (keys in a stash) containing nulls,
> although having system calls die when they are given a string containing
> a null could potentially be a good idea.

I don't think implementation details of current perl are the correct
starting point for this discussion.  Instead we should stick to the
abstract "how should this work" and only later on address the
implementation details (which may indeed prevent us from doing what we
want currently).

I am sure that somewhere we specify what characters are acceptable in
a package name even if we don't enforce the rule currently.

We definitely specify that package names are mapped to filespec's.

IMO package names that might be impossible to map to filespecs are problematic.

yves

-- 
perl -Mre=debug -e "/just|another|perl|hacker/"

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About