develooper Front page | perl.perl5.porters | Postings from June 2013

[perl #117267] [PATCH] d37efd2 no warnings 'safenames', check nul in names

Thread Previous | Thread Next
Tony Cook via RT
June 28, 2013 06:10
[perl #117267] [PATCH] d37efd2 no warnings 'safenames', check nul in names
Message ID:
On Sat Mar 23 07:07:08 2013, davem wrote:
> On Thu, Mar 21, 2013 at 09:30:17AM -0700, wrote:
> > Add a new fatal warnings category safenames.
> > Check for invalid and potentially insecure embedded \0 in
> > symbol and classnames, which were until 5.16 silently ignored,
> > and for 5.16 allowed. Since 5.16 names are internally nul-safe,
> > but such hidden payloads are useless for perl, are hard to detect
> > and may lead to security problems.
> Thanks for this, but...
> In the continuing absence of any specific evidence that allowing \0's in a
> symbol table entry is a security risk, I'm not personally keen on this
> feature being added to perl. If it were added, then I'm not very keen on
> the "mandatory croak when general warnings are enabled" approach.

Based on the discussion in this ticket, of which Dave's response wasn't
the only one, I plan to close this ticket in a few days.


via perlbug:  queue: perl5 status: open

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About