Skip Menu |

This queue is for tickets about the JSON-XS CPAN distribution.

Report information
The Basics
Id: 94451
Status: resolved
Priority: 0/
Queue: JSON-XS

People
Owner: Nobody in particular
Requestors: victor [...] vsespb.ru
Cc:
AdminCc:

Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: (no value)



Subject: option to disallow numification
Hello. the following == use strict; use warnings; use JSON::XS; my $data = JSON::XS->new()->decode('{ "x": 0}'); print "YES\n" if "somestring" ~~ [ $data->{x} ]; == prints YES (with a warning) but this == use strict; use warnings; use JSON::XS; my $data = JSON::XS->new()->decode('{ "x": "0"}'); print "YES\n" if "somestring" ~~ [ $data->{x} ]; == does not. this can introduce bugs and security issues. IMHO, there is a paradigm in perl, that programmer is _always_ in control when variable numified or no. It was simple: if variable is a result of numeric operation (numeric context) then it's number. If veriable initialized with numeric constant, it's number too. Programmer can control when variable is a number and when not. But with JSON::XS programmer lost control - data from untrusted source can be numeric without progammer's approvement. So I think it would be great to add option to disallow numification. p.s. yes, smartmach/given+when is experimental. also, there are operators in perl like unary minus which treat all strings which looks_like_a_number as numbers, not just IVs, so smartmatch indeed looks broken. BUT smartmuch is different case, it could not be implemented like that, it would be pretty useless if use looks_like_a_number to determine "data type".
Subject: Re: [rt.cpan.org #94451] option to disallow numification
Date: Sat, 5 Apr 2014 21:19:12 +0200
To: Victor Efimov via RT <bug-JSON-XS [...] rt.cpan.org>
From: Marc Lehmann <schmorp [...] schmorp.de>
Hi! Please send your bug report it to the official contact/author address for the module in question (or send it to rt.cpan.org@schmorp.de, that's fine as well). What follows is the rationale for this request, you don't have to read it if you don't care. Why is this necessary? rt.cpan.org has many deficiencies which makes it tedious and hard to use, increasing the workload on the people who provide all the perl modules you probably appreciate (and that is really to be avoided - module authors should be able to invest all their time into improving their modules and not fighting with rt.cpan.org's bugs). Still, for some people, rt.cpan.org is useful to have, and some people even like it and really want to use it. That is fine, too. Unfortunately, the designers of rt.cpan.org didn't make their "service" optional - you can neither opt-in nor opt-out of rt.cpan.org as a module author. Just like a spammer, rt.cpan.org forces its "service" (whether wanted or unwanted) on everybody. Just like a spammer, they don't care for the people they actively hurt. Just like a spammer, they don't don't care to fix these issues and make their "service" ethically acceptable. You cannot even configure it to redirect tickets to somewhere else. Unfortunately, ignoring rt.cpan.org is not an option either: for people reporting possible bugs there is no indication that their report will be ignored, and for module authors it means they miss potentially vital bug reports such as yours (and of course it's a great impression if rt.cpan.org has lots of bug reports that are unanswered, making a module look unmaintained when in fact the opposite might be true). I am sorry that this wasted a bit of your time, but please understand that I am just as much a victim as you are - the problem is the unethical stance of the rt.cpan.org providers who force their "service" on everybody. Please redirect your bug report as stated in the beginning of this mail, and please consider petitioning the rt.cpan.org providers to stop their unethical behaviour and allow opt-in, opt-out, or some redirect option. One last issue: many people mail me that this can be "fixed" by including the bugtracker element in my module meta file. This is not true: 1. This field only affects search.cpan.org and maybe similar services. (Many people confuse rt.cpan.org with search.cpan.org for some reason). 2. It doesn't even work (there are still links to rt.cpan.org displayed). 3. Even if search.cpan.org does no longer display the link, it doesn't actually affect rt.cpan.org (and tests have shown that people go to rt.cpan.org regardless) Even *iff* rt.cpan.org would start listening on the bugtracker field, however, it's still wrong. I have a lot of modules, and each time a service like rt.cpan.org comes out, I would have to make dummy releases for all my modules. This not only creates a lot of extra work for me (I take releases very seriously) but also users, who would wonder why there is a new release. Thanks a lot, Marc Lehmann <rt.cpan.org@schmorp.de> Last updated: 2012-04-22