Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility

On Wed, Dec 26, 2012 at 9:41 PM, Todd Rinaldo <toddr@cpanel.net> wrote:

> The work around is to set $Storable::flags = 6 (in their script not
> the perl module) and it will revert the default behavior. If they
> change this globally in Storable.pm, cPanel will become insecure, so
> this is not recommended. It sounds like the people reporting these
> issues are cPanel customers. I would encourage them to open a ticket
> with cPanel if they need help.

Would you mind elaborating on how it will become less secure?

If cPanel is deserializing untusted Storable data and hoping to make
it secure by not allowing objects (and thus disallowing code loaded at
a distance or executed at a distance via DESTROY) that's probably only
a cosmetic improvement.

I don't think Storable is meant to handle arbitrary untrusted input.

• cPanel version of "Storable 2.39_01" breaks backwards compatibility by Alex Vandiver
• Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility by Todd Rinaldo
• Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility by Ævar Arnfjörð Bjarmason
• Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility by Todd Rinaldo
• Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility by Ævar Arnfjörð Bjarmason
• Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility by brian m. carlson
• Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility by Todd Rinaldo
• Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility by Reini Urban
• Re: cPanel version of "Storable 2.39_01" breaks backwardscompatibility by Alex Vandiver
• Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility by Todd Rinaldo
• Re: cPanel version of "Storable 2.39_01" breaks backwardscompatibility by Alex Vandiver