This Week on perl5-porters (20-26 October 2003)

This Week on perl5-porters (20-26 October 2003)

This week, several threads raised concerns with tainting. Plan C for randomized hashes was successful. The language issues with constant subroutines were discussed. Bugs were found, some of which were fixed ; some others were dismissed as features. Quite an usual week for the Perl 5 porters.

Taint propagation

Nicholas Clark files bug #24248, about tainting not being propagated properly. This is a regression in perl 5.8.1, that wasn't spotted by the regression tests. He provides a code example where $1 ends up being tainted, but where a copy of $1 looses tainting. Rick Delaney follows up with some questions, regarding the precise interpretation of perlsec, where it's asserted that the presence of tainted data anywhere within an expression renders the entire expression tainted.

Besides this, Rafael added a test.taintwarn target to perl's makefile, to run perl's test suite with taint warnings enabled. At a glance, lots of tests break, but that's due to the additional warnings being reported where they're not expected.

Constant subroutines

Bug #24250 started a long thread. It describes that a closure of the form :

    sub () { $count; }

where $count is a lexical variable, doesn't behave "properly", i.e. not as if the body of the closure included an explicit return statement. Dave Mitchell explains that perl turned this closure in a constant subroutine (due to the empty prototype). This happens since perl 5.8.0, and is considered as feature, although an undocumented and surprising one. It's actually used in the constant module.

At some point, Dave proposed to introduce a :constant subroutine attribute, the current constant subroutine syntax feeling like a non-intuitive language hack, that should be deprecated.

Threads and memory leakage

Jack Steadman reported in perl 5.8.1 a case of memory leak related to threads (bug #24255), which was undiscovered until now. It was fixed by Dave Mitchell ; but Jack then posted another example causing another kind of leak.

if's version

The CPAN currently holds the version 0.01000001 of the if pragma, while the core comes with version 0.03. Autrijus Tang asked Ilya Zakharevich to release an updated version, because the CPAN version has bugs : it cannot deal with the open pragma for example. This led to a discussion about proper version numbering and backward compatibility for dual-lived perl modules.

The :raw layer

Gisle Aas asks why the statement

    open my $fh, "<:raw", \$scalar

always fails. Rafael begins to explain that :raw pops off other layers, but it turns out that a more subtle bug is occurring here.

Removing magic from %ENV

Ton Hospel reported (bug #24291) that aliasing the ENV glob makes %ENV lose magic : thus assigning to an %ENV key doesn't alter the program's environment.

Rafael says that it's to be expected. (However, perl didn't handle this case gracefully, producing random coredumps. This was later fixed by Rafael.) But the potential security hole remains : taint checks are done against the contents of %ENV, not against the actual environment variables, which are different when %ENV is aliased to another variable. A solution is to forbid using an aliased %ENV when taint checks are enabled.

In brief

Perl 5.8.1's binary compatibility issue has been solved by Nicholas. (The fix is now part of Debian unstable.) Perl 5.8.2-to be now is able to switch internally hashing algorithms when a hash grows too large not uniformly.

Jos Boumans posted a program that uses the CPANPLUS API to detect which core modules are outdated in respect to their CPAN versions.

Steve Hay asks for a way to know, from a perl program, to know whether the used perl has been built with -DDEBUGGING.

Ton Hospel produces an Attempt to free unreferenced scalar in 22 characters. (Bug #24254.)

Steve Grazzini reports that if you use @& before $& in a Perl program with perl 5.8, then $& loses its magic. This used to work correctly, but the old behaviour was to set PL_sawampersand (and its performance penalties) unnecessarily. (Bug #24237.)

Uri Guttman proposed to include File::Slurp (or a module with a similar functionality) into the core. Several people liked the idea, (some of which had concerns with the API or the module name), others felt that it was not meeting the criteria to become a core module (the core being already bloated enough.)

Robert Spier introduces metabugs to the crew :

Last minute : Hugo released perl 5.9.0, the first development version after 5.8.0.

About this summary

This week was summarized by Rafael Garcia-Suarez. Summaries are published weekly on and on a mailing list, which subscription address is Corrections, comments, etc. are welcome.