Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the IO-All CPAN distribution.

Report information
The Basics
Id: 74642
Status: resolved
Priority: 0/
Queue: IO-All

People
Owner: Nobody in particular
Requestors: ovid [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)



Subject: Possible security hole: Please change :ut8 layer to :encoding(UTF-8)
When enabling utf8, IO::All has the following: sub utf8 { my $self = shift; if ($] < 5.008) { die "IO::All -utf8 not supported on Perl older than 5.8"; } CORE::binmode($self->io_handle, ':utf8') if $self->is_open; $self->_utf8(1); $self->encoding('utf8'); return $self; } However, the :utf8 layer only marks the filehandle as utf8. It does not validate that the data is actually UTF-8. This is possibly a security hole. You can fix this with: CORE::binmode($self->io_handle, ':encoding(UTF-8)') See http://www.perlmonks.org/?node_id=644786 for more details. Cheers, Ovid
On Thu Feb 02 17:29:32 2012, OVID wrote: Show quoted text
> When enabling utf8, IO::All has the following: > > sub utf8 { > my $self = shift; > if ($] < 5.008) { > die "IO::All -utf8 not supported on Perl older than 5.8"; > } > CORE::binmode($self->io_handle, ':utf8') > if $self->is_open; > $self->_utf8(1); > $self->encoding('utf8'); > return $self; > } > > However, the :utf8 layer only marks the filehandle as utf8. It does not > validate that the data is actually UTF-8. This is possibly a security > hole. You can fix this with: > > CORE::binmode($self->io_handle, ':encoding(UTF-8)') > > See http://www.perlmonks.org/?node_id=644786 for more details. > > Cheers, > Ovid
fixed in git, should be released soon, thanks for the report