This queue is for tickets about the File-Slurp CPAN distribution.

Report information
The Basics
Id:
83126
Status:
resolved
Priority:
Low/Low
Queue:

People
Owner:
cwhitener [...] gmail.com
Requestors:
dagolden [...] cpan.org
Cc:
ether [...] cpan.org
AdminCc:

BugTracker
Severity:
Critical
Broken in:
(no value)
Fixed in:
(no value)



Subject: Security hole with encoding(UTF-8)
sysread treats any :encoding(...) as effectively :utf8. Thus, requesting { binmode => ":encoding(UTF-8)" } (e.g. strict UTF-8 compliance) actually results in Perl's lax, insecure utf8 decoding being used instead. This may surprise people. (There are related tickets relating to layer surprises.) I would suggest improving the documentation to indicate that using any binmode with File::Slurp other than ":raw" (or ":unix") is ill advised and the only real reason to use binmode at all is to disable CRLF translation on Windows.
On Mon Feb 04 14:25:32 2013, DAGOLDEN wrote:
Show quoted text
> sysread treats any :encoding(...) as effectively :utf8. > > Thus, requesting { binmode => ":encoding(UTF-8)" } (e.g. strict UTF-8 > compliance) actually results in Perl's lax, insecure utf8 decoding being > used instead. > > This may surprise people. (There are related tickets relating to layer > surprises.) > > I would suggest improving the documentation to indicate that using any > binmode with File::Slurp other than ":raw" (or ":unix") is ill advised > and the only real reason to use binmode at all is to disable CRLF > translation on Windows.
More importantly, it will interpret any encoding as :utf8, even for example :encoding(UTF-16). This is obviously *completely* broken. Leon
Fixed in 1.013
On Wed Feb 12 15:58:38 2014, BDFOY wrote:
Show quoted text
> Fixed in 1.013
Oops, I responded the wrong queue. Disregard this.
On Mon Feb 04 14:25:32 2013, DAGOLDEN wrote:
Show quoted text
> sysread treats any :encoding(...) as effectively :utf8.
There's fairly extensive discussion of this issue at: https://rt.perl.org/Ticket/Display.html?id=121870 but any new discussion belongs here. Tony
Hi Everyone, I believe this to be fixed now in v9999.26. Please don't hesitate to yell at me if I'm wrong about that. Thanks, Chase


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.