Skip Menu |
 

This queue is for tickets about the File-Slurp CPAN distribution.

Report information
The Basics
Id: 83126
Status: open
Priority: 0/
Queue: File-Slurp

People
Owner: cwhitener [...] gmail.com
Requestors: dagolden [...] cpan.org
Cc: ether [...] cpan.org
AdminCc:

Bug Information
Severity: Critical
Broken in: (no value)
Fixed in: (no value)



Subject: Security hole with encoding(UTF-8)
Download (untitled) / with headers
text/plain 532b
sysread treats any :encoding(...) as effectively :utf8. Thus, requesting { binmode => ":encoding(UTF-8)" } (e.g. strict UTF-8 compliance) actually results in Perl's lax, insecure utf8 decoding being used instead. This may surprise people. (There are related tickets relating to layer surprises.) I would suggest improving the documentation to indicate that using any binmode with File::Slurp other than ":raw" (or ":unix") is ill advised and the only real reason to use binmode at all is to disable CRLF translation on Windows.
Download (untitled) / with headers
text/plain 744b
On Mon Feb 04 14:25:32 2013, DAGOLDEN wrote: Show quoted text
> sysread treats any :encoding(...) as effectively :utf8. > > Thus, requesting { binmode => ":encoding(UTF-8)" } (e.g. strict UTF-8 > compliance) actually results in Perl's lax, insecure utf8 decoding being > used instead. > > This may surprise people. (There are related tickets relating to layer > surprises.) > > I would suggest improving the documentation to indicate that using any > binmode with File::Slurp other than ":raw" (or ":unix") is ill advised > and the only real reason to use binmode at all is to disable CRLF > translation on Windows.
More importantly, it will interpret any encoding as :utf8, even for example :encoding(UTF-16). This is obviously *completely* broken. Leon
Fixed in 1.013
Download (untitled) / with headers
text/plain 110b
On Wed Feb 12 15:58:38 2014, BDFOY wrote: Show quoted text
> Fixed in 1.013
Oops, I responded the wrong queue. Disregard this.
Download (untitled) / with headers
text/plain 252b
On Mon Feb 04 14:25:32 2013, DAGOLDEN wrote: Show quoted text
> sysread treats any :encoding(...) as effectively :utf8.
There's fairly extensive discussion of this issue at: https://rt.perl.org/Ticket/Display.html?id=121870 but any new discussion belongs here. Tony


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.