Front page | perl.perl5.porters |
Postings from September 2014
On 18 September 2014 15:30, Father Chrysostomos <sprout@cpan.org> wrote: > Ricardo Signes wrote: > > I have just pushed up 19be3be6, which addresses CVE-2014-4330. > > > > CVE-2014-4330 reports a stack exhaustion bug in Data::Dumper, when it > attempts > > to recurse without limit. The bug was reported by LSE Leading Security > Experts > > GmbH employee Markus Vervier. The fix was written by Tony Cook. By > default, > > Data::Dumper will now limit recursion to 1000 levels, but this can be > > configured by $Maxrecurse. > > > > This patch has been pre-seeded to downstream vendors, who will apply it > as they > > see fit. Expect a new release of Data::Dumper soon. > > Instead of changing the behaviour and setting the default to 1000 > whether the user asked for it or not, shouldn’t we instead have the > XS implementation fall back to the Perl implementation if it reaches > this limit? > > Personally I would say no. If someone wanted to use the Pure Perl version they would. Falling back to it IMO could make the use case worse. Yves -- perl -Mre=debug -e "/just|another|perl|hacker/"Thread Previous | Thread Next