develooper Front page | perl.perl5.porters | Postings from September 2014

Re: fix for CVE-2014-4330 present in blead

Thread Previous | Thread Next
September 18, 2014 21:02
Re: fix for CVE-2014-4330 present in blead
Message ID:
On 18 September 2014 20:29, Father Chrysostomos <> wrote:

> Yves Orton wrote:
> > On 18 September 2014 15:30, Father Chrysostomos <sprout> wrote:
> > > Instead of changing the behaviour and setting the default to 1000
> > > whether the user asked for it or not, shouldn't we instead have the
> > > XS implementation fall back to the Perl implementation if it reaches
> > > this limit?
> > >
> > >
> > Personally I would say no. If someone wanted to use the Pure Perl version
> > they would. Falling back to it IMO could make the use case worse.
> How could it make it worse?  If I'm already dumping structures 2000
> levels deep (a Mac has no problem with that; 1000 is a joke),

Personally I am not so sure. A dump 1000 layers deep is probably going to
be huge (unless it is a trivial set of scalar refs), and on average mostly
contain whitespace.

> then
> my code is going to break.  I would rather have it continue working,
> albeit slowly, than simply croak.

I can see some people agreeing with you, and some people not.  Certainly in
some use cases breaking rather than being slow is preferred.

Having said that, I bet most people won't even notice.

> We have introduced a backward-incompatible change here.
True, but DD is primarily intended as a debugging tool, I doubt it will
matter. (And if people are using it a serialization tool then they need
their head examined -- and that is coming from the guy that wrote
Data::Undump which makes it actually possible to more or less safely
deserialize a DD dump without using eval.)


perl -Mre=debug -e "/just|another|perl|hacker/"

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About