develooper Front page | perl.perl5.porters | Postings from December 2012

Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility

Thread Previous | Thread Next
Ævar Arnfjörð Bjarmason
December 27, 2012 13:12
Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility
Message ID:
On Wed, Dec 26, 2012 at 9:41 PM, Todd Rinaldo <> wrote:

> The work around is to set $Storable::flags = 6 (in their script not
> the perl module) and it will revert the default behavior. If they
> change this globally in, cPanel will become insecure, so
> this is not recommended. It sounds like the people reporting these
> issues are cPanel customers. I would encourage them to open a ticket
> with cPanel if they need help.

Would you mind elaborating on how it will become less secure?

If cPanel is deserializing untusted Storable data and hoping to make
it secure by not allowing objects (and thus disallowing code loaded at
a distance or executed at a distance via DESTROY) that's probably only
a cosmetic improvement.

I don't think Storable is meant to handle arbitrary untrusted input.

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About