develooper Front page | perl.perl5.porters | Postings from September 2014

Re: fix for CVE-2014-4330 present in blead

Thread Previous
From:
demerphq
Date:
September 18, 2014 16:21
Subject:
Re: fix for CVE-2014-4330 present in blead
Message ID:
CANgJU+WH9gLpMUZaqwmhovJPY+Ppifj0xJqFWerLaeD0UwimQw@mail.gmail.com
On 18 September 2014 17:23, Father Chrysostomos <sprout@cpan.org> wrote:

> I wrote:
> > Ricardo Signes wrote:
> > > This patch has been pre-seeded to downstream vendors, who will apply
> it as they
> > > see fit.  Expect a new release of Data::Dumper soon.
> >
> > Instead of changing the behaviour and setting the default to 1000
> > whether the user asked for it or not, shouldn’t we instead have the
> > XS implementation fall back to the Perl implementation if it reaches
> > this limit?
>
> And from the standpoint of a user, what is the difference between
> maxdepth and maxrecurse?  I guess it's that the latter croaks, but
> that is not obvious from the names.


Maxdepth says "Dump the first K layers of data structure, and dont bother
going deeper" and is disabled when Purity is true.

Maxrecurse says "If I get deeper than K layers die", and should not
disabled when Purity is true.


>   We have effectively provided
> a default maxdepth of 1000, whether the user asks for it or not.
>

This is subject to interpretation. Since Maxrecurse should make DD die I
dont see that as being the same as setting a maxdepth default of 1000.


> Another thing that does not make sense is that maxrecurse is docu-
> mented as being a security measure, to avoid running out of stack
> space, but the pure-Perl implementation, which is not subject to that
> type of problem, also implements the recursion limit (and by default,
> too, though here it has nothing to do with security).
>

This IMO is a good point. The pure-perl version does not need this
protection so it shouldn't have it.

Yves

-- 
perl -Mre=debug -e "/just|another|perl|hacker/"

Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About