[ic] PerlAlwaysGlobal and PerlNoStrict
Jon Jensen
jon at endpoint.com
Wed Sep 5 18:53:29 UTC 2012
On Wed, 5 Sep 2012, Mike Heins wrote:
> Yes, if you "use Encode" you are done for, to be sure. Does it happen
> even if you don't do that?
Yes. The newer perls seem to use Encode implicitly for all sorts of UTF-8
stuff that happens automatically when doing string manipulation. There
seems to be no escape from the pain.
> It's a darn shame that there are so many runtime requires. That is a
> constant potential for file compromise compromising security, and it ups
> the stakes of code injections or page compromises. That is probably not
> a huge area at the margin in security, but still. What's worse is the
> potential for user error to compromise their files and introduce
> uncertainty.
I agree. Safe is really a nice facility, and casting it aside will have
bad effects, even if they're not seen for a while. Moving to purely
compiled Perl code in modules mitigates most of that, but migrating an old
catalog to that kind of code is a major project.
Jon
--
Jon Jensen
End Point Corporation
http://www.endpoint.com/
More information about the interchange-users
mailing list