Perl 5 Porters Weekly: December 3-December 9, 2012

Welcome to Perl 5 Porters Weekly, a summary of the email traffic of the perl5-porters email list.

Topics this week include:

  • security notice: Storable
  • security notice: Locale::Maketext
  • Does Unicode mandate a collation order?
  • a job for someone? SvREFCNT_dec_NN()
  • CERT Perl Secure Coding Standard

security notice: Storable

Ricardo Signes published a security notice about the Storable module that ships in Perl's core. He writes:

A number of times over the years, there's been discussion about Storable
as a vector for attack.  If a user can feed you Storable data that you
didn't expect, he has a good chance of doing nasty things to your
program.  This has been discussed on p5p and at YAPCs, but sadly never
made it into the documentation.

This has been fixed[.]

Thanks to Brian Carlson of cPanel who brought it to the P5P security team's attention.

Read the thread

security notice: Locale::Maketext

Rik also issued another notice courtesy of Brian Carlson about the Locale::Maketext module which also ships in Perl's core. Ricardo summarizes the problems as:

* in a [method,x,y,z] template, the method could be a fully-qualified
  name
* template expansion did not properly quote metacharacters, allowing
  code injection through a malicious template

Read the thread

Does Unicode mandate a collation order?

There was a question (not strictly Perl related) about whether Unicode mandates a collation order. It does, and the precise answer, according to Tom Christensen is determined by what DUCET value is used internally by the Unicode routines.

If you want the full explanation, read Tom's reply

Read the thread

a job for someone? SvREFCNT_dec_NN()

Dave Mitchell writes that he's just added the SvREFCOUNT_dec_NN() macro which can be used in situations where the SV cannot be null. In such cases, the macro saves some code space, a test and a jump in the code path. There are 500 uses of the original SvREFCOUNT_dec in perl.

If you ever wanted to dive into Perl's core and were looking for a fairly easy task to get you going, this might be what you're looking for.

Read the thread

CERT Perl Secure Coding Standard

Yves Orton wonders if anyone's seen CERT's Perl Secure Coding Standard. Jeffrey Thalhammer writes back that he's hopeful a Perl::Critic module will ship early next year incorporating the standard's guidelines.

Read the thread

About Perl 5 Porters Summaries

user-pic Weekly p5p summaries