Bug #74642 for IO-All: Possible security hole: Please change :ut8 layer to :encoding(UTF-8)

RT for rt.cpan.org

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the IO-All CPAN distribution.

Report information

The Basics

Id:	74642
Status:	resolved
Priority:	0/
Queue:	IO-All

People

Owner:	Nobody in particular
Requestors:	ovid [...] cpan.org
Cc:
AdminCc:

Bug Information

Severity:	Important
Broken in:	(no value)
Fixed in:	(no value)

History Show all quoted text

Thu Feb 02 17:29:32 2012 ovid [...] cpan.org - Ticket created

Subject:

Possible security hole: Please change :ut8 layer to :encoding(UTF-8)

When enabling utf8, IO::All has the following: sub utf8 { my $self = shift; if ($] < 5.008) { die "IO::All -utf8 not supported on Perl older than 5.8"; } CORE::binmode($self->io_handle, ':utf8') if $self->is_open; $self->_utf8(1); $self->encoding('utf8'); return $self; } However, the :utf8 layer only marks the filehandle as utf8. It does not validate that the data is actually UTF-8. This is possibly a security hole. You can fix this with: CORE::binmode($self->io_handle, ':encoding(UTF-8)') See http://www.perlmonks.org/?node_id=644786 for more details. Cheers, Ovid

Fri Feb 03 04:06:57 2012 ovid [...] cpan.org - Severity Important added

Fri Jan 17 17:25:39 2014 frioux [...] gmail.com - Correspondence added

On Thu Feb 02 17:29:32 2012, OVID wrote: Show quoted text

> When enabling utf8, IO::All has the following: > > sub utf8 { > my $self = shift; > if ($] < 5.008) { > die "IO::All -utf8 not supported on Perl older than 5.8"; > } > CORE::binmode($self->io_handle, ':utf8') > if $self->is_open; > $self->_utf8(1); > $self->encoding('utf8'); > return $self; > } > > However, the :utf8 layer only marks the filehandle as utf8. It does not > validate that the data is actually UTF-8. This is possibly a security > hole. You can fix this with: > > CORE::binmode($self->io_handle, ':encoding(UTF-8)') > > See http://www.perlmonks.org/?node_id=644786 for more details. > > Cheers, > Ovid

fixed in git, should be released soon, thanks for the report

Fri Jan 17 17:25:40 2014 The RT System itself - Status changed from 'new' to 'open'

Fri Jan 17 17:25:40 2014 frioux [...] gmail.com - Status changed from 'open' to 'resolved'