develooper Front page | perl.perl5.porters | Postings from September 2014

Re: fix for CVE-2014-4330 present in blead

Thread Previous | Thread Next
From:
Father Chrysostomos
Date:
September 18, 2014 15:23
Subject:
Re: fix for CVE-2014-4330 present in blead
Message ID:
20140918152337.28374.qmail@lists-nntp.develooper.com
I wrote:
> Ricardo Signes wrote:
> > This patch has been pre-seeded to downstream vendors, who will apply it as they
> > see fit.  Expect a new release of Data::Dumper soon.
> 
> Instead of changing the behaviour and setting the default to 1000
> whether the user asked for it or not, shouldn’t we instead have the
> XS implementation fall back to the Perl implementation if it reaches
> this limit?

And from the standpoint of a user, what is the difference between
maxdepth and maxrecurse?  I guess it's that the latter croaks, but
that is not obvious from the names.  We have effectively provided
a default maxdepth of 1000, whether the user asks for it or not.
Another thing that does not make sense is that maxrecurse is docu-
mented as being a security measure, to avoid running out of stack
space, but the pure-Perl implementation, which is not subject to that
type of problem, also implements the recursion limit (and by default,
too, though here it has nothing to do with security).


Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About