develooper Front page | perl.perl5.porters | Postings from June 2013

[perl #117267] [PATCH] d37efd2 no warnings 'safenames', check nul in names

Thread Previous | Thread Next
From:
Tony Cook via RT
Date:
June 28, 2013 06:10
Subject:
[perl #117267] [PATCH] d37efd2 no warnings 'safenames', check nul in names
Message ID:
rt-3.6.HEAD-2552-1372399792-698.117267-15-0@perl.org
On Sat Mar 23 07:07:08 2013, davem wrote:
> On Thu, Mar 21, 2013 at 09:30:17AM -0700, rurban@cpanel.net wrote:
> > Add a new fatal warnings category safenames.
> > Check for invalid and potentially insecure embedded \0 in
> > symbol and classnames, which were until 5.16 silently ignored,
> > and for 5.16 allowed. Since 5.16 names are internally nul-safe,
> > but such hidden payloads are useless for perl, are hard to detect
> > and may lead to security problems.
> 
> Thanks for this, but...
> 
> In the continuing absence of any specific evidence that allowing \0's in a
> symbol table entry is a security risk, I'm not personally keen on this
> feature being added to perl. If it were added, then I'm not very keen on
> the "mandatory croak when general warnings are enabled" approach.

Based on the discussion in this ticket, of which Dave's response wasn't
the only one, I plan to close this ticket in a few days.

Tony


---
via perlbug:  queue: perl5 status: open
https://rt.perl.org:443/rt3/Ticket/Display.html?id=117267

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About