develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
Chip Salzenberg
October 2, 2012 17:12
Re: Security Issues in perl-5.16.x
Message ID:
On Tue, Oct 2, 2012 at 4:37 PM, Aristotle Pagaltzis <> wrote:
> I was asking about `require`, `open`, etc passing on strings with NULs
> in the middle to syscalls. You said you would not be opposed to making
> them refuse to, but would gleefully mock whoever demanded it. I wanted
> to know the basis for the promised mocking. Please concentrate.

Fairly copped; I misread you.

The answer is: It's silly to assume that just because many or even all
current systems have no NULs in their filenames, that therefore none
ever will.  It's silly to assume that if a string with a NUL in it is
passed to open() on existing systems, that therefore the programmer
should be warned or even worse have his system call fail, even though
the historical behavior of such an open is well established and
harmless.  And it would encourage Chicken Littles like Reini by
letting them claim, fatuously, that they found a real bug that needed
fixing, when in fact there was no mundane bug, let alone a security
bug; and thus no fix was ever required.

If you disagree, then while we're at it, let's warn about spaces
following tabs in source code.  Those are surely mistakes as well.

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About