Front page | perl.perl5.porters |
Postings from November 2017
These functions are not listed in the public API, though they are accessible from anywhere. They are not used in CPAN. I propose to mark them as core-only, so they can't be used (without skulduggery) outside it. The reason is that I think a better API should be created. The problem is that the caller now is supposed to know the worst case buffer size, preallocate that, and the function blindly assumes this has been done, so if it hasn't out-of-bounds writes are possible. Worse, the documentation, until a very recent commit I made, specified too small a size, one which would overflow in the worst case (though only on EBCDIC platforms). (That documentation, since these aren't in the public API) is in the form of comments at the function source. It is a potential security hole to allow this. That's why we use strlcpy() instead of strcpy(), and have changed the other Unicode functions to pass in a length.Thread Next