This week, several threads raised concerns with tainting. Plan C for randomized hashes was successful. The language issues with constant subroutines were discussed. Bugs were found, some of which were fixed ; some others were dismissed as features. Quite an usual week for the Perl 5 porters.
Nicholas Clark files bug #24248, about tainting not being propagated properly. This is a regression in perl 5.8.1, that wasn't spotted by the regression tests. He provides a code example where $1 ends up being tainted, but where a copy of $1 looses tainting. Rick Delaney follows up with some questions, regarding the precise interpretation of perlsec, where it's asserted that the presence of tainted data anywhere within an expression renders the entire expression tainted.
http://xrl.us/yud
Besides this, Rafael added a test.taintwarn target to perl's makefile, to run perl's test suite with taint warnings enabled. At a glance, lots of tests break, but that's due to the additional warnings being reported where they're not expected.
Bug #24250 started a long thread. It describes that a closure of the form :
sub () { $count; }
where $count is a lexical variable, doesn't behave ``properly'', i.e. not as
if the body of the closure included an explicit return statement. Dave
Mitchell explains that perl turned this closure in a constant
subroutine (due to the empty prototype). This happens since perl
5.8.0, and is considered as feature, although an undocumented and
surprising one. It's actually used in the constant module.
At some point, Dave proposed to introduce a :constant subroutine
attribute, the current constant subroutine syntax feeling like a
non-intuitive language hack, that should be deprecated.
http://xrl.us/yue
Jack Steadman reported in perl 5.8.1 a case of memory leak related to threads (bug #24255), which was undiscovered until now. It was fixed by Dave Mitchell ; but Jack then posted another example causing another kind of leak.
http://xrl.us/yuf
if's versionThe CPAN currently holds the version 0.01000001 of the if pragma, while
the core comes with version 0.03. Autrijus Tang asked Ilya Zakharevich to
release an updated version, because the CPAN version has bugs : it cannot
deal with the open pragma for example. This led to a discussion about
proper version numbering and backward compatibility for dual-lived perl
modules.
http://xrl.us/yug
:raw layerGisle Aas asks why the statement
open my $fh, "<:raw", \$scalar
always fails. Rafael begins to explain that :raw pops off other layers,
but it turns out that a more subtle bug is occurring here.
http://xrl.us/yuh
Ton Hospel reported (bug #24291) that aliasing the ENV glob makes %ENV lose magic : thus assigning to an %ENV key doesn't alter the program's environment.
Rafael says that it's to be expected. (However, perl didn't handle this case gracefully, producing random coredumps. This was later fixed by Rafael.) But the potential security hole remains : taint checks are done against the contents of %ENV, not against the actual environment variables, which are different when %ENV is aliased to another variable. A solution is to forbid using an aliased %ENV when taint checks are enabled.
http://xrl.us/yu3
Perl 5.8.1's binary compatibility issue has been solved by Nicholas. (The fix is now part of Debian unstable.) Perl 5.8.2-to be now is able to switch internally hashing algorithms when a hash grows too large not uniformly.
Jos Boumans posted a program that uses the CPANPLUS API to detect which core modules are outdated in respect to their CPAN versions.
http://xrl.us/yui
Steve Hay asks for a way to know, from a perl program, to know whether
the used perl has been built with -DDEBUGGING.
http://xrl.us/yuj
Ton Hospel produces an Attempt to free unreferenced scalar in 22 characters. (Bug #24254.)
Steve Grazzini reports that if you use @& before $& in a Perl
program with perl 5.8, then $& loses its magic. This used to work
correctly, but the old behaviour was to set PL_sawampersand (and its
performance penalties) unnecessarily. (Bug #24237.)
Uri Guttman proposed to include File::Slurp (or a module with a similar functionality) into the core. Several people liked the idea, (some of which had concerns with the API or the module name), others felt that it was not meeting the criteria to become a core module (the core being already bloated enough.)
Robert Spier introduces metabugs to the crew :
http://xrl.us/yuc
Last minute : Hugo released perl 5.9.0, the first development version after 5.8.0.
This week was summarized by Rafael Garcia-Suarez. Summaries are published weekly on http://use.perl.org/ and on a mailing list, which subscription address is perl5-summary-subscribe@perl.org. Corrections, comments, etc. are welcome.