develooper Front page | perl.perl5.porters | Postings from September 2014

Re: fix for CVE-2014-4330 present in blead

Thread Previous | Thread Next
From:
demerphq
Date:
September 18, 2014 21:02
Subject:
Re: fix for CVE-2014-4330 present in blead
Message ID:
CANgJU+VQeZosf_6sUh0_-f-d4Om81+4Qv15DGt2y8c-vZ1TG7Q@mail.gmail.com
On 18 September 2014 20:29, Father Chrysostomos <sprout@cpan.org> wrote:

> Yves Orton wrote:
> > On 18 September 2014 15:30, Father Chrysostomos <sprout cpan.org> wrote:
> > > Instead of changing the behaviour and setting the default to 1000
> > > whether the user asked for it or not, shouldn't we instead have the
> > > XS implementation fall back to the Perl implementation if it reaches
> > > this limit?
> > >
> > >
> > Personally I would say no. If someone wanted to use the Pure Perl version
> > they would. Falling back to it IMO could make the use case worse.
>
> How could it make it worse?  If I'm already dumping structures 2000
> levels deep (a Mac has no problem with that; 1000 is a joke),


Personally I am not so sure. A dump 1000 layers deep is probably going to
be huge (unless it is a trivial set of scalar refs), and on average mostly
contain whitespace.


> then
> my code is going to break.  I would rather have it continue working,
> albeit slowly, than simply croak.
>

I can see some people agreeing with you, and some people not.  Certainly in
some use cases breaking rather than being slow is preferred.

Having said that, I bet most people won't even notice.


>
> We have introduced a backward-incompatible change here.
>
>
True, but DD is primarily intended as a debugging tool, I doubt it will
matter. (And if people are using it a serialization tool then they need
their head examined -- and that is coming from the guy that wrote
Data::Undump which makes it actually possible to more or less safely
deserialize a DD dump without using eval.)

cheers,
Yves

-- 
perl -Mre=debug -e "/just|another|perl|hacker/"

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About