Welcome to Perl 5 Porters Weekly, a summary of the email traffic of the
perl5-porters email list.
Topics this week include:
- security notice: Storable
- security notice: Locale::Maketext
- Does Unicode mandate a collation order?
- a job for someone? SvREFCNT_dec_NN()
- CERT Perl Secure Coding Standard
security notice: Storable
Ricardo Signes published a security notice about the Storable module that
ships in Perl’s core. He writes:
A number of times over the years, there's been discussion about Storable as a vector for attack. If a user can feed you Storable data that you didn't expect, he has a good chance of doing nasty things to your program. This has been discussed on p5p and at YAPCs, but sadly never made it into the documentation. This has been fixed[.]
Thanks to Brian Carlson of cPanel who brought it to the P5P security team’s
security notice: Locale::Maketext
Rik also issued another notice courtesy of Brian Carlson about the
Locale::Maketext module which also ships in Perl’s core. Ricardo
summarizes the problems as:
* in a [method,x,y,z] template, the method could be a fully-qualified name * template expansion did not properly quote metacharacters, allowing code injection through a malicious template
Does Unicode mandate a collation order?
There was a question (not strictly Perl related) about whether Unicode
mandates a collation order. It does, and the precise answer, according to
Tom Christensen is determined by what
DUCET value is used internally by
the Unicode routines.
If you want the full explanation, read Tom’s reply
a job for someone? SvREFCNT_dec_NN()
Dave Mitchell writes that he’s just added the
which can be used in situations where the SV cannot be null. In such cases,
the macro saves some code space, a test and a jump in the code path. There
are 500 uses of the original
SvREFCOUNT_dec in perl.
If you ever wanted to dive into Perl’s core and were looking for a fairly
easy task to get you going, this might be what you’re looking for.
CERT Perl Secure Coding Standard
Yves Orton wonders if anyone’s seen CERT’s Perl Secure Coding Standard.
Jeffrey Thalhammer writes back that he’s hopeful a Perl::Critic module will
ship early next year incorporating the standard’s guidelines.