develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
Aristotle Pagaltzis
Date:
October 6, 2012 18:43
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
20121007014326.GC21194@fernweh.plasmasturm.org
* bulk 88 <bulk88@hotmail.com> [2012-10-06 07:40]:
> I think the question is, is the user responsible for sanitizing I/O to
> disk, or is it Perl responsible? And what about OSes that are fine
> with a null or any byte in the filename (Im not sure which these are)?
> And are hash keys and/or package names supposed to be only of
> printable characters or not?

I laid out my thinking on that part in my other message, with ID
<20121007013852.GB21194@fernweh.plasmasturm.org>.

> From reading here and on #p5p, why is storing shellcode in a module
> name given to require so much more dangerous than storing it in
> a scalar? Or are there Perl GUI editors where the watch windows are
> vulnerable to null truncation hiding the exploit payload right infront
> of the eyes of the developer who is step debugging it?

I consider the shellcode concern a red herring. It has been extensively
debunked, only Reini was arguing it.

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About