Skip Menu |

This queue is for tickets about the File-Slurp CPAN distribution.

Report information
The Basics
Id: 83126
Status: resolved
Priority: 0/
Queue: File-Slurp
People
Owner: cwhitener [...] gmail.com
Requestors: dagolden [...] cpan.org
Cc: ether [...] cpan.org
AdminCc:
Bug Information
Severity: Critical
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Feb 04 14:25:32 2013 dagolden [...] cpan.org - Ticket created
Subject: Security hole with encoding(UTF-8)
sysread treats any :encoding(...) as effectively :utf8. Thus, requesting { binmode => ":encoding(UTF-8)" } (e.g. strict UTF-8 compliance) actually results in Perl's lax, insecure utf8 decoding being used instead. This may surprise people. (There are related tickets relating to layer surprises.) I would suggest improving the documentation to indicate that using any binmode with File::Slurp other than ":raw" (or ":unix") is ill advised and the only real reason to use binmode at all is to disable CRLF translation on Windows.
  Sat May 11 03:58:42 2013 LEONT [...] cpan.org - Correspondence added
On Mon Feb 04 14:25:32 2013, DAGOLDEN wrote: Show quoted text
> sysread treats any :encoding(...) as effectively :utf8. > > Thus, requesting { binmode => ":encoding(UTF-8)" } (e.g. strict UTF-8 > compliance) actually results in Perl's lax, insecure utf8 decoding being > used instead. > > This may surprise people. (There are related tickets relating to layer > surprises.) > > I would suggest improving the documentation to indicate that using any > binmode with File::Slurp other than ":raw" (or ":unix") is ill advised > and the only real reason to use binmode at all is to disable CRLF > translation on Windows.
More importantly, it will interpret any encoding as :utf8, even for example :encoding(UTF-16). This is obviously *completely* broken. Leon
  Sat May 11 03:58:43 2013 The RT System itself - Status changed from 'new' to 'open'
  Wed Oct 23 18:17:10 2013 ether [...] cpan.org - Cc ETHER added
  Mon Jan 20 16:36:16 2014 LEONT [...] cpan.org - Severity Important changed to Critical
  Wed Feb 12 15:58:38 2014 bdfoy [...] cpan.org - Correspondence added
Fixed in 1.013
  Wed Feb 12 15:59:47 2014 bdfoy [...] cpan.org - Correspondence added
On Wed Feb 12 15:58:38 2014, BDFOY wrote: Show quoted text
> Fixed in 1.013
Oops, I responded the wrong queue. Disregard this.
  Tue Oct 07 23:06:05 2014 TONYC [...] cpan.org - Correspondence added
On Mon Feb 04 14:25:32 2013, DAGOLDEN wrote: Show quoted text
> sysread treats any :encoding(...) as effectively :utf8.
There's fairly extensive discussion of this issue at: https://rt.perl.org/Ticket/Display.html?id=121870 but any new discussion belongs here. Tony
  Tue Sep 25 18:34:44 2018 cwhitener [...] gmail.com - Taken
  Wed Feb 13 12:10:37 2019 cwhitener [...] gmail.com - Correspondence added
Hi Everyone, I believe this to be fixed now in v9999.26. Please don't hesitate to yell at me if I'm wrong about that. Thanks, Chase
  Wed Feb 13 12:10:38 2019 cwhitener [...] gmail.com - Status changed from 'open' to 'resolved'