[ic] PerlAlwaysGlobal and PerlNoStrict
Mike Heins
mike at perusion.com
Wed Sep 5 18:13:48 UTC 2012
Quoting Jon Jensen (jon at endpoint.com):
> On Wed, 5 Sep 2012, Mike Heins wrote:
>
> >>There is basically no alternative to PerlAlwaysGlobal today if
> >>you use additional Perl modules and Perl code in IC 5.
> >
> >If you limit your use to modules which don't do runtime requires
> >you can certainly avoid it.
>
> With Perl 5.14 and newer, I'm finding that Stefan is correct,
> because the core Encoding module does runtime requires all the time,
> and possibly some other core modules. Safe has become nearly
> unusable for us with newer Perl versions.
Yes, if you "use Encode" you are done for, to be sure. Does it
happen even if you don't do that?
It's a darn shame that there are so many runtime requires. That is a
constant potential for file compromise compromising security, and it
ups the stakes of code injections or page compromises. That is
probably not a huge area at the margin in security, but still. What's
worse is the potential for user error to compromise their files and
introduce uncertainty.
I do recognize that it isn't the be-all and end-all of security,
but it makes it easier to do things and be safe.
That being said, PerlAlwaysGlobal and the Alias call I mentioned should
bring things in line...
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.253.4194 <mike at perusion.com>
Software axiom: Lack of speed kills.
More information about the interchange-users
mailing list