New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow Invisible Terms and Operators for Security Reasons #5320
Comments
From @zoffixznetHi, Currently, some invisible characters can be used as terms and operators. Some of those are: > [] U+2060 WORD JOINER [Cf] This allows for malicious and invisible action at a distance. For example, in one module I can define this invisible operator: sub prefix:<> is tighter(&infix:<or>) is export {spurt 'DEBUG.txt', $^a, :append}; It uses U+2063 invisible separator. Now, in code that `use`s this module, I'm now able to silently use SomethingInnocent; By prefixing the `my` with U+2063 invisible separator, I'm silently siphoning the data assigned to $credit_card into a secret file. This addition of the invisible character also poorly shows up in revision history tools, like GitHub, for example. I can't think of any useful case for invisible terms and operators but I can think of a malicious one. Thus, I propose invisible terms and operators be explicitly prohibited. |
From @lizmat+1 from me. Is there a unicode property that indicates invisibleness? Liz
|
The RT System itself - Status changed from 'new' to 'open' |
Migrated from rt.perl.org#128159 (status was 'open')
Searchable as RT128159$
The text was updated successfully, but these errors were encountered: