[ic] PerlAlwaysGlobal and PerlNoStrict

Jon Jensen jon at endpoint.com
Wed Sep 5 18:53:29 UTC 2012


On Wed, 5 Sep 2012, Mike Heins wrote:

> Yes, if you "use Encode" you are done for, to be sure. Does it happen 
> even if you don't do that?

Yes. The newer perls seem to use Encode implicitly for all sorts of UTF-8 
stuff that happens automatically when doing string manipulation. There 
seems to be no escape from the pain.

> It's a darn shame that there are so many runtime requires. That is a 
> constant potential for file compromise compromising security, and it ups 
> the stakes of code injections or page compromises. That is probably not 
> a huge area at the margin in security, but still. What's worse is the 
> potential for user error to compromise their files and introduce 
> uncertainty.

I agree. Safe is really a nice facility, and casting it aside will have 
bad effects, even if they're not seen for a while. Moving to purely 
compiled Perl code in modules mitigates most of that, but migrating an old 
catalog to that kind of code is a major project.

Jon

-- 
Jon Jensen
End Point Corporation
http://www.endpoint.com/



More information about the interchange-users mailing list