Attached is the revised patch Check for the nul char in pathnames and string arguments to syscalls, return undef and set errno to ENOENT. Added to the default severe warnings category syscalls. Strings with embedded \0 chars were prev. ignored in the syscall but kept in perl. The hidden payloads in these invalid string args may cause unnoticed security problems, as they are hard to detect, ignored by the syscalls but kept around in perl PVs. Allow an ending \0 though, as several modules add a \0 to such strings without adjusting the length. Ignored on WinCE since this uses the wide char API. -- Reini Urban --- via perlbug: queue: perl5 status: open https://rt.perl.org:443/rt3/Ticket/Display.html?id=117265Thread Previous | Thread Next