develooper Front page | perl.perl5.porters | Postings from December 2012

Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility

Thread Previous | Thread Next
From:
brian m. carlson
Date:
December 27, 2012 21:23
Subject:
Re: cPanel version of "Storable 2.39_01" breaks backwards compatibility
Message ID:
50DC840D.3020201@cpanel.net
[I'm not subscribed to p5p.]

On 12/27/12 16:50, Ævar Arnfjörð Bjarmason wrote:
> Modules that handle JSON were written & designed to handle untrusted
> data, Storable is not.
> 
> See https://github.com/mirrors/perl/commit/664f237#L1R1022 for a
> recent note Steffen added to the documentation about this.

This was added as a result of a security issue we reported to the Perl
Security Team about a month ago.  We are certainly aware of this.

> I'm curious as to why you're using Storable at all if you don't
> support the deserialization of objects, to preserve things like UTF-8
> flags and binary data?

The decision to use Storable precedes my presence at cPanel, but we're
moving away from it in favor of better alternatives that are more secure
(and faster as well).  There are some limitations (such as compatibility
with older versions of Perl) that prevent us from changing as quickly as
we'd like.

-- 
brian m. carlson
Release Manager / cPanel, Inc.
c: +1 (832) 623-2791 / w: +1 (713) 529-0800 x4068


Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About