Front page | perl.perl5.porters |
Postings from December 2012
[I'm not subscribed to p5p.] On 12/27/12 16:50, Ævar Arnfjörð Bjarmason wrote: > Modules that handle JSON were written & designed to handle untrusted > data, Storable is not. > > See https://github.com/mirrors/perl/commit/664f237#L1R1022 for a > recent note Steffen added to the documentation about this. This was added as a result of a security issue we reported to the Perl Security Team about a month ago. We are certainly aware of this. > I'm curious as to why you're using Storable at all if you don't > support the deserialization of objects, to preserve things like UTF-8 > flags and binary data? The decision to use Storable precedes my presence at cPanel, but we're moving away from it in favor of better alternatives that are more secure (and faster as well). There are some limitations (such as compatibility with older versions of Perl) that prevent us from changing as quickly as we'd like. -- brian m. carlson Release Manager / cPanel, Inc. c: +1 (832) 623-2791 / w: +1 (713) 529-0800 x4068Thread Previous | Thread Next