Skip Menu |

This queue is for tickets about the Term-ANSIColorx-ColorNicknames CPAN distribution.

Report information
The Basics
Id: 103036
Status: resolved
Priority: 0/
Queue: Term-ANSIColorx-ColorNicknames
People
Owner: Nobody in particular
Requestors: ether [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Mar 23 16:53:35 2015 ether [...] cpan.org - Ticket created
Subject: Uses File::Slurp, known to be buggy and vulnerable
e.g. look at https://rt.cpan.org/Ticket/Display.html?id=83126 and be dismayed File::Slurp::Tiny and Path::Tiny are both excellent alternatives. See also http://shadow.cat/blog/matt-s-trout/mstpan-5/
  Wed Mar 25 07:21:37 2015 jettero [...] cpan.org - Correspondence added
I'm not sure this was worth a bug report. Personally, I really only ever use slurp() where I don't really care about the file input that much — (ie, it's not user input and it's not that big and I have to read the whole file anyway). In this case, it's just picking up the module files and comparing the $VERSION globals in a test. I should be dismayed by this use? We can trust running the modules but we can't trust reading them in to study the $VERSION s? Nobody mentioned the actual bugs in this module that I don't have time to fix. In fact, I suspect nobody even uses it but me — which is sad, because it's really helpful to use for all sorts of things. I can only conclude that this warning was more of a political jibe and Uri rather or some kind of bot message rather than an actual bug report — in any case, I'm skeptical of the intent. On the other hand, thanks. I wasn't aware of the controversy and I'm enjoying reading inexplicable circle-the-wagons attack on the perlfaq RT. Why not make sure File::Slurp gets fixed rather than changing the faq? I mean, the cat's already out of the bag. Maybe change slurp to use Path::Tiny? What is changing the faq going to do? Does Perl have new users? I think it's just us old timers. On Mon Mar 23 16:53:35 2015, ETHER wrote: Show quoted text
> e.g. look at https://rt.cpan.org/Ticket/Display.html?id=83126 and be > dismayed > > File::Slurp::Tiny and Path::Tiny are both excellent alternatives. > > See also http://shadow.cat/blog/matt-s-trout/mstpan-5/
-- If riding in an airplane is flying, then riding in a boat is swimming. 116 jumps, 48.6 minutes of freefall, 92.9 freefall miles.
  Wed Mar 25 07:21:37 2015 The RT System itself - Status changed from 'new' to 'open'
  Wed Mar 25 12:33:07 2015 ether [...] cpan.org - Correspondence added
On 2015-03-25 04:21:37, JETTERO wrote: Show quoted text
> I can only conclude that this warning was more of a political jibe and > Uri rather or some kind of bot message rather than an actual bug > report — in any case, I'm skeptical of the intent.
It's a real bug report, but you're right that I don't use your distribution. The intent is genuine - to move everyone off a legacy module where we've discovered a lot of serious issues that aren't getting fixed, onto other things that are more actively maintained and address these issues.
  Wed Mar 25 13:13:18 2015 jettero [...] cpan.org - Correspondence added
On Wed Mar 25 12:33:07 2015, ETHER wrote: Show quoted text
> It's a real bug report, but you're right that I don't use your > distribution. The intent is genuine - to move everyone off a legacy > module where we've discovered a lot of serious issues that aren't > getting fixed, onto other things that are more actively maintained and > address these issues.
Indeed, I really like the Path::Tiny interfaces and already changed a large percentage of my shell-script-kit environment (non-public) and this module and a couple other things. The issues still don't seem like all that big a deal to me. I find it concerning that the encoding layers are doing the wrong thing. Some day that could be foolled into … unimagined remote execution bugs … I mean, one never knows. But besides that, they don't seem like that big a deal to me. Who's using slurp() for anything other than loading small trusted files for tests or something anyway? -Paul -- If riding in an airplane is flying, then riding in a boat is swimming. 116 jumps, 48.6 minutes of freefall, 92.9 freefall miles.
  Wed Mar 25 13:25:20 2015 jettero [...] cpan.org - Correspondence added
OK, anyway, thanks for Path::Tiny. It's great. -- If riding in an airplane is flying, then riding in a boat is swimming. 116 jumps, 48.6 minutes of freefall, 92.9 freefall miles.
  Wed Mar 25 13:25:21 2015 jettero [...] cpan.org - Status changed from 'open' to 'resolved'