develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
Aristotle Pagaltzis
October 6, 2012 18:43
Re: Security Issues in perl-5.16.x
Message ID:
* bulk 88 <> [2012-10-06 07:40]:
> I think the question is, is the user responsible for sanitizing I/O to
> disk, or is it Perl responsible? And what about OSes that are fine
> with a null or any byte in the filename (Im not sure which these are)?
> And are hash keys and/or package names supposed to be only of
> printable characters or not?

I laid out my thinking on that part in my other message, with ID

> From reading here and on #p5p, why is storing shellcode in a module
> name given to require so much more dangerous than storing it in
> a scalar? Or are there Perl GUI editors where the watch windows are
> vulnerable to null truncation hiding the exploit payload right infront
> of the eyes of the developer who is step debugging it?

I consider the shellcode concern a red herring. It has been extensively
debunked, only Reini was arguing it.

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About