On 10/17/2016 11:32 AM, Michael Schroeder wrote: > On Sat, Oct 15, 2016 at 06:52:59PM +0200, Sawyer X wrote: >> This took a long time, but we're finally here! > Hmm, it still contains the base.pm INC mess. I thought there was some > consensus to revert it back to the 5.24.0 state? This is incorrect. There were discussions on the list in which multiple suggestions were offered. This included providing the original patch, providing an alternative patch, or reverting the entire patch. There was no consensus. The discussions continued on and off the security mailing list and a decision was made to keep a patch, but a revised one, to minimize the possible damage as much as possible, but retain the security benefits. > See the "Alternative Fix for base.pm dot-in-INC mechanic." p5p > thread. As stated there, the current code punishes those cases where > the old code was perfectly safe, and leads to unpredictable > behavior in the problematic cases (when %{"$base\::"} is not empty). While it might "punish" some legitimate usages, it - at the same time - defends users who are unaware of the security implications involved and are possibly vulnerable to them. The decision was based on defending rather than hoping users won't be attacked. That is the approach that yielded the original set of patches and it is the approach that yielded a patch (albeit revised) to this particular module as well. > I don't see how you can ship that as a maintenance update. I understand it is important to you, Michael, and I respect that. I hope you understand it is important to us as well and that is why we decided on this course of action. It is our position that security in this case takes precedence. If this was not part of a maintenance release (and dual-life modules), then this would have only benefited whoever changed to 5.26, which we consider insufficient. We have also tried finding a way in which no legitimate usages of base.pm will be affected, but we could not. We apologize for any problems this causes you, but we consider this the best we could do. Sawyer.Thread Previous | Thread Next