develooper Front page | perl.perl5.porters | Postings from April 2013

[Encode] 2.50 released!

Thread Previous | Thread Next
Dan Kogai
April 26, 2013 18:56
[Encode] 2.50 released!
Message ID:

Just $Encode::VESION++'ed.  The biggest change is that Encode now propagates the taintedness of the source string.  Though perlsec states the taintedness can be laundered via hash keys and regexes and many transcoding modules simply ignore the taintedness (especially XS-based ones), that is not the intention of Encode.

On 27 Apr 2013, at 01:44 , Mark Martinec (via RT) <> wrote:
> There is no excuse for such gratuitous laundering
> of data. It subverts usefulness of Perl taint
> protection mechanism and can open security holes
> in applications using Encode which are unaware of
> this bug (here is one example: [ #82294]).

So no excuse and just fixes and tests.  t/taint.t checks all encodings that come with Encode.

Unfortunately other 3rd party Encode:: modules may need to tweak for taintedness since is just an interface to (de|en)code methods therein.  UCM-based Encodings are fine since Encode.xs does the check for them but custom encodings implemented via pure-perl (mostly via regexes or lookup tables by hashes) should do its own taint checking...

=head1 Availability

git clone git://
and CPAN near you.

Travis is all green:

=head1 CPAN index

 User: DANKOGAI (Dan Kogai)
 Distribution file: Encode-2.50.tar.gz
 Number of files: 205
 *.pm files: 26
 README: Encode-2.50/README
 META-File: Encode-2.50/META.json
 META-Parser: Parse::CPAN::Meta 1.4404
 META-driven index: no
 Timestamp of file: Fri Apr 26 18:36:59 2013 UTC
 Time of this run: Fri Apr 26 18:38:37 2013 UTC

=head1 Changes

$Revision: 2.50 $ $Date: 2013/04/26 18:30:46 $
! Encode.xs Unicode/Unicode.xs
  lib/Encode/Unicode/ lib/CN/ lib/Encode/
  Addressed: Encode::encode and Encode::decode 
             gratuitously launders tainted data
  Taintedness now propagates as it should.
  Addressed: 5.18 deprecation
! bin/piconv
  Applied: Update piconv documentation

=head1 AUTHOR

Dan the Encode Maintainer

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About