develooper Front page | perl.perl5.porters | Postings from December 2012

Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility

Thread Previous | Thread Next
brian m. carlson
December 27, 2012 21:23
Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility
Message ID:
[I'm not subscribed to p5p.]

On 12/27/12 16:50, Ævar Arnfjörð Bjarmason wrote:
> Modules that handle JSON were written & designed to handle untrusted
> data, Storable is not.
> See for a
> recent note Steffen added to the documentation about this.

This was added as a result of a security issue we reported to the Perl
Security Team about a month ago.  We are certainly aware of this.

> I'm curious as to why you're using Storable at all if you don't
> support the deserialization of objects, to preserve things like UTF-8
> flags and binary data?

The decision to use Storable precedes my presence at cPanel, but we're
moving away from it in favor of better alternatives that are more secure
(and faster as well).  There are some limitations (such as compatibility
with older versions of Perl) that prevent us from changing as quickly as
we'd like.

brian m. carlson
Release Manager / cPanel, Inc.
c: +1 (832) 623-2791 / w: +1 (713) 529-0800 x4068

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About