Skip Menu |
Report information
Id: 105922
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors:
Cc:
AdminCc:

Operating System: darwin
PatchStatus: (no value)
Severity: low
Type: core
Perl Version: 5.15.4
Fixed In: (no value)



Subject: Questionable package name validation
Date: Sun, 11 Dec 2011 13:35:32 -0800
To: perlbug [...] perl.org
From: Father Chrysostomos <sprout [...] cpan.org>
Download (untitled) / with headers
text/plain 3.8k
This is apparently a valid package name: $ perl -le 'q"_#@*$!@*^("->can(can); print -ok' -ok But this is not: $ perl -le 'q"#@*$!@*^(_"->can(can); print -ok' Can't call method "can" without a package or object reference at -e line 1. That also means that main::foo is not always equivalent to ::foo: $ perl -le 'main::foo->can(can); print -ok' -ok $ perl -le '::foo->can(can); print -ok' Can't call method "can" without a package or object reference at -e line 1. If we could eliminate that check, it would allow for far more possibilities with UNIVERSAL methods--a bit like autobox. I think this is a pity: $ ./perl -Ilib -le' print foo->CORE::uc' FOO $ ./perl -Ilib -le' print "3foo"->CORE::uc' Can't call method "CORE::uc" without a package or object reference at -e line 1. Also, the Unicode Bug affects class method calls. Fixing the above (which would fix this too) is easier than fixing just this: $ ./perl -Ilib -Mutf8 -le '$p = "þackage"; $p->can(can)' $ ./perl -Ilib -Mutf8 -le '$p = "þackage"; utf8::downgrade $p; $p->can(can)' Can't call method "can" without a package or object reference at -e line 1. It doesn’t even work when the package exists. And to drive the point home: $ perl -e 'sub foo { warn $::Moose::VERSION } use Moose' Can't call method "can" without a package or object reference at /Library/Perl/5.10.1/darwin-thread-multi-2level/Moose/Exporter.pm line 348. --- Flags: category=core severity=low --- Site configuration information for perl 5.15.4: Configured by sprout at Wed Nov 2 09:06:14 PDT 2011. Summary of my perl5 (revision 5 version 15 subversion 4) configuration: Snapshot of: f3640611309ab8d6271598d071119f09fd9e8cf0 Platform: osname=darwin, osvers=10.5.0, archname=darwin-thread-multi-2level uname='darwin pint.local 10.5.0 darwin kernel version 10.5.0: fri nov 5 23:20:39 pdt 2010; root:xnu-1504.9.17~1release_i386 i386 ' config_args='-de -Doptimize=-g -Dusedevel -Duseithreads -Dmad' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=undef, use64bitall=undef, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-fno-common -DPERL_DARWIN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include', optimize='-g', cppflags='-fno-common -DPERL_DARWIN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include' ccversion='', gccversion='4.2.1 (Apple Inc. build 5664)', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='env MACOSX_DEPLOYMENT_TARGET=10.3 cc', ldflags =' -fstack-protector -L/usr/local/lib' libpth=/usr/local/lib /usr/lib libs=-ldbm -ldl -lm -lutil -lc perllibs=-ldl -lm -lutil -lc libc=, so=dylib, useshrplib=false, libperl=libperl.a gnulibc_version='' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=bundle, d_dlsymun=undef, ccdlflags=' ' cccdlflags=' ', lddlflags=' -bundle -undefined dynamic_lookup -L/usr/local/lib -fstack-protector' Locally applied patches: --- @INC for perl 5.15.4: /usr/local/lib/perl5/site_perl/5.15.4/darwin-thread-multi-2level /usr/local/lib/perl5/site_perl/5.15.4 /usr/local/lib/perl5/5.15.4/darwin-thread-multi-2level /usr/local/lib/perl5/5.15.4 /usr/local/lib/perl5/site_perl . --- Environment for perl 5.15.4: DYLD_LIBRARY_PATH (unset) HOME=/Users/sprout LANG=en_US.UTF-8 LANGUAGE (unset) LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin:/usr/local/bin PERL_BADLANG (unset) SHELL=/bin/bash
CC: bugs-bitbucket [...] rt.perl.org
Subject: Re: [perl #105922] Questionable package name validation
Date: Tue, 13 Dec 2011 15:48:14 -0500
To: perl5-porters [...] perl.org
From: Eric Brine <ikegami [...] adaelis.com>
Download (untitled) / with headers
text/plain 491b
On Sun, Dec 11, 2011 at 4:35 PM, Father Chrysostomos <perlbug-followup@perl.org> wrote:
Show quoted text
Also, the Unicode Bug affects class method calls.  Fixing the above (which would fix this too) is easier than fixing just this:

$ ./perl -Ilib -Mutf8 -le '$p = "þackage"; $p->can(can)'

$ ./perl -Ilib -Mutf8 -le '$p = "þackage"; utf8::downgrade $p; $p->can(can)'
Can't call method "can" without a package or object reference at -e line 1.

And feature unicode_strings doesn't help.

CC: perl5-porters [...] perl.org, bugs-bitbucket [...] rt.perl.org
Subject: Re: [perl #105922] Questionable package name validation
Date: Tue, 13 Dec 2011 19:57:59 -0300
To: Eric Brine <ikegami [...] adaelis.com>
From: Brian Fraser <fraserbn [...] gmail.com>

Message body is not shown because sender requested not to inline it.

Download (untitled) / with headers
text/plain 1.2k
On Tue, Dec 13, 2011 at 5:48 PM, Eric Brine <ikegami@adaelis.com> wrote:
Show quoted text
On Sun, Dec 11, 2011 at 4:35 PM, Father Chrysostomos <perlbug-followup@perl.org> wrote:
Also, the Unicode Bug affects class method calls.  Fixing the above (which would fix this too) is easier than fixing just this:

$ ./perl -Ilib -Mutf8 -le '$p = "þackage"; $p->can(can)'

$ ./perl -Ilib -Mutf8 -le '$p = "þackage"; utf8::downgrade $p; $p->can(can)'
Can't call method "can" without a package or object reference at -e line 1.

And feature unicode_strings doesn't help.


Whoops, that was me. Fixing this is one line in pp_hot.c (patch attached), but that part of the code is just.. weird.

A valid class name, as far as the left side of -> is concerned, is either something that is already in the stash cache hash, and failing that, something that has a IO slot, and failing that, something that matches /^[\p{XIDS}_]/.
I think that explains why _#@*$!@*^( works, but #@*$!@*^(_ doesn't, and similarly with ::foo. Though it sure seems... quirky.

The IO part is the real kicker though: You can make *anything* a valid class name by doing something like perl -E 'open q<#@*$!@*^(_>, ">", undef; q<#@*$!@*^(_>->can(can)'

CC: Eric Brine <ikegami [...] adaelis.com>, perl5-porters [...] perl.org, bugs-bitbucket [...] rt.perl.org
Subject: Re: [perl #105922] Questionable package name validation
Date: Tue, 13 Dec 2011 16:12:53 -0700
To: Brian Fraser <fraserbn [...] gmail.com>
From: Tom Christiansen <tchrist [...] perl.com>
Download (untitled) / with headers
text/plain 514b
Show quoted text
> A valid class name, as far as the left side of -> is concerned, is either > something that is already in the stash cache hash, and failing that, > something that has a IO slot, and failing that, something that matches > /^[\p{XIDS}_]/.
Oh darn it. I had convinced myself that Perl identifiers could also start with \p{PC}. Or at least, some of them can, which I do know. It's just not clear which are which. And which ones can start with \p{Nd} is also anything but clear. Not clear, not clean. --tom
CC: Eric Brine <ikegami [...] adaelis.com>, perl5-porters [...] perl.org, bugs-bitbucket [...] rt.perl.org
Subject: Re: [perl #105922] Questionable package name validation
Date: Tue, 13 Dec 2011 20:19:08 -0300
To: Tom Christiansen <tchrist [...] perl.com>
From: Brian Fraser <fraserbn [...] gmail.com>
Download (untitled) / with headers
text/plain 828b
On Tue, Dec 13, 2011 at 8:12 PM, Tom Christiansen <tchrist@perl.com> wrote:
Show quoted text
> A valid class name, as far as the left side of -> is concerned, is either
> something that is already in the stash cache hash, and failing that,
> something that has a IO slot, and failing that, something that matches
> /^[\p{XIDS}_]/.

Oh darn it.   I had convinced myself that Perl identifiers could
also start with \p{PC}.  Or at least, some of them can, which
I do know.  It's just not clear which are which.

And which ones can start with \p{Nd} is also anything but clear.

Not clear, not clean.


That's rightish too. But do note that I said class names on the left side of ->, not identifiers in general ( that can of worms is well known :). "1"->can(yadda) won't work, even though 1 is a valid identifier, and so on.

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.7k
On Tue Dec 13 14:58:38 2011, Hugmeir wrote: Show quoted text
> On Tue, Dec 13, 2011 at 5:48 PM, Eric Brine <ikegami@adaelis.com> wrote: >
> > On Sun, Dec 11, 2011 at 4:35 PM, Father Chrysostomos < > > perlbug-followup@perl.org> wrote: > >
> >> Also, the Unicode Bug affects class method calls. Fixing the above > >> (which would fix this too) is easier than fixing just this: > >> > >> $ ./perl -Ilib -Mutf8 -le '$p = "�ackage"; $p->can(can)' > >> > >> $ ./perl -Ilib -Mutf8 -le '$p = "�ackage"; utf8::downgrade $p; > >> $p->can(can)' > >> Can't call method "can" without a package or object reference at -e
line Show quoted text
> >> 1. > >>
> > > > And feature unicode_strings doesn't help. > > > >
> Whoops, that was me. Fixing this is one line in pp_hot.c (patch attached), > but that part of the code is just.. weird. > > A valid class name, as far as the left side of -> is concerned, is either > something that is already in the stash cache hash, and failing that, > something that has a IO slot, and failing that, something that matches > /^[\p{XIDS}_]/. > I think that explains why _#@*$!@*^( works, but #@*$!@*^(_ doesn't, and > similarly with ::foo. Though it sure seems... quirky. > > The IO part is the real kicker though: You can make *anything* a valid > class name by doing something like perl -E 'open q<#@*$!@*^(_>, ">",
undef; Show quoted text
> q<#@*$!@*^(_>->can(can)'
That’s not a class method call. That’s an IO method. $ perl -E 'open q<#@*$!@*^(_>, ">", undef; q<#@*$!@*^(_>->oeunt' Can't locate object method "oeunt" via package "IO::Handle" at -e line 1. And 5.9.5 had a bug making constants turn into IOs: perl5.9.5 -Mconstant=Just,0 -le 'sub IO::Handle::a_japh{print*{$_[0]}=~/([^:]+)$/," another Perl hacker,"} "Just"->a_japh' :-) -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 857b
On Tue Dec 13 14:58:38 2011, Hugmeir wrote: Show quoted text
> On Tue, Dec 13, 2011 at 5:48 PM, Eric Brine <ikegami@adaelis.com> wrote: >
> > On Sun, Dec 11, 2011 at 4:35 PM, Father Chrysostomos < > > perlbug-followup@perl.org> wrote: > >
> >> Also, the Unicode Bug affects class method calls. Fixing the above > >> (which would fix this too) is easier than fixing just this: > >> > >> $ ./perl -Ilib -Mutf8 -le '$p = "�ackage"; $p->can(can)' > >> > >> $ ./perl -Ilib -Mutf8 -le '$p = "�ackage"; utf8::downgrade $p; > >> $p->can(can)' > >> Can't call method "can" without a package or object reference at -e
line Show quoted text
> >> 1. > >>
> > > > And feature unicode_strings doesn't help. > > > >
> Whoops, that was me. Fixing this is one line in pp_hot.c (patch attached), > but that part of the code is just.. weird.
Thank you. Applied as d47f310d69. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 156b
So is the way to move forward here to just make any string valid on the lhs of ->? I think this would make a lot more sense than the current behavior. -doy
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 374b
On Tue Jul 03 14:04:57 2012, doy wrote: Show quoted text
> So is the way to move forward here to just make any string valid on the > lhs of ->? I think this would make a lot more sense than the current > behavior.
Yes, I think so. It’s on my to-do list, but my to-do list is *long*. :-) In other words, I would be happy for someone to get to this before I do. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 203b
On Tue Jul 03 14:04:57 2012, doy wrote: Show quoted text
> So is the way to move forward here to just make any string valid on the > lhs of ->? I think this would make a lot more sense than the current > behavior.
Yes.
RT-Send-CC: perl5-porters [...] perl.org, perl.p5p [...] rjbs.manxome.org, MSCHWERN [...] cpan.org
Download (untitled) / with headers
text/plain 959b
On Wed Jul 04 05:46:31 2012, rjbs wrote: Show quoted text
> On Tue Jul 03 14:04:57 2012, doy wrote:
> > So is the way to move forward here to just make any string valid on the > > lhs of ->? I think this would make a lot more sense than the current > > behavior.
> > Yes.
Test::More fails its tests with the attachment, because it’s doing this: elsif( $error =~ /Can't call method "isa" without a package/ ) { but "anything"->isa("Wibble") will simply return false now, instead of dying. That means Test::More::isa_ok may output: # Failed test 'My Wibble isa Wibble' # at t/fail-more.t line 248. # My Wibble isn't a 'Wibble' it's a '' instead of what its tests are checking for: # Failed test 'My Wibble isa Wibble' # at t/fail-more.t line 248. # My Wibble isn't a class or reference (That ‘it's a ''’ is another bug, reported as #78204.) I think Test::More’s tests will need a little bit of adjustment. -- Father Chrysostomos
Download open_c6xI1fTd.txt
text/plain 3.4k
From 8eff703c953b1daece21d3ef7bda95618fac1a0a Mon Sep 17 00:00:00 2001 From: Father Chrysostomos <sprout@cpan.org> Date: Wed, 4 Jul 2012 11:25:52 -0700 Subject: [PATCH] [perl #105922] Allow any string before ->meth MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The rules for filtering out what do not look like package names are not logical and disallow valid things like "::main", while allowing q"_#@*$!@*^(". This commit simply lets any non-empty string be used as a package name. If it is a typo, you’ll get an error anyway. This allows autobox-style calls like "3foo"->CORE::uc, or even "3foo"->uc if you set up @ISA first. I made an exception for the empty string because it messes up caches somehow and causes subsequent method calls all to be called on the main package. I haven’t looked into that yet. I don’t know whether it’s worth it. diff --git a/pp_hot.c b/pp_hot.c index 77b707c..6366aee 100644 --- a/pp_hot.c +++ b/pp_hot.c @@ -2960,12 +2960,14 @@ S_method_common(pTHX_ SV* meth, U32* hashp) PERL_ARGS_ASSERT_METHOD_COMMON; if (!sv) + undefined: Perl_croak(aTHX_ "Can't call method \"%"SVf"\" on an undefined value", SVfARG(meth)); SvGETMAGIC(sv); if (SvROK(sv)) ob = MUTABLE_SV(SvRV(sv)); + else if (!SvOK(sv)) goto undefined; else { GV* iogv; STRLEN packlen; @@ -2994,17 +2996,11 @@ S_method_common(pTHX_ SV* meth, U32* hashp) !(ob=MUTABLE_SV(GvIO(iogv)))) { /* this isn't the name of a filehandle either */ - if (!packname || - ((UTF8_IS_START(*packname) && DO_UTF8(sv)) - ? !isIDFIRST_utf8((U8*)packname) - : !isIDFIRST_L1((U8)*packname) - )) + if (!packname || !packlen) { - /* diag_listed_as: Can't call method "%s" without a package or object reference */ - Perl_croak(aTHX_ "Can't call method \"%"SVf"\" %s", - SVfARG(meth), - SvOK(sv) ? "without a package or object reference" - : "on an undefined value"); + Perl_croak(aTHX_ "Can't call method \"%"SVf"\" " + "without a package or object reference", + SVfARG(meth)); } /* assume it's a package name */ stash = gv_stashpvn(packname, packlen, packname_is_utf8 ? SVf_UTF8 : 0); diff --git a/t/op/method.t b/t/op/method.t index 09f6ee3..8f6bfb8 100644 --- a/t/op/method.t +++ b/t/op/method.t @@ -13,7 +13,7 @@ BEGIN { use strict; no warnings 'once'; -plan(tests => 98); +plan(tests => 103); @A::ISA = 'B'; @B::ISA = 'C'; @@ -417,3 +417,15 @@ eval { () = undef; new {} }; like $@, qr/^Can't call method "new" without a package or object reference/, 'Err msg from new{} when stack contains undef'; + +sub flomp { "flimp" } +sub main::::flomp { "flump" } +is "::"->flomp, 'flump', 'method call on ::'; +is "::main"->flomp, 'flimp', 'method call on ::main'; +eval { ""->flomp }; +like $@, + qr/^Can't call method "flomp" without a package or object reference/, + 'method call on empty string'; +is "3foo"->CORE::uc, '3FOO', '"3foo"->CORE::uc'; +{ no strict; @{"3foo::ISA"} = "CORE"; } +is "3foo"->uc, '3FOO', '"3foo"->uc (autobox style!)'; diff --git a/t/run/fresh_perl.t b/t/run/fresh_perl.t index cd5899a..376ceaf 100644 --- a/t/run/fresh_perl.t +++ b/t/run/fresh_perl.t @@ -81,7 +81,7 @@ $array[128]=1 ######## $x=0x0eabcd; print $x->ref; EXPECT -Can't call method "ref" without a package or object reference at - line 1. +Can't locate object method "ref" via package "961485" (perhaps you forgot to load "961485"?) at - line 1. ######## chop ($str .= <DATA>); ########
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 177b
On Wed Jul 04 12:36:34 2012, sprout wrote: Show quoted text
> Test::More fails its tests with the attachment,
which is also on the sprout/package-names-113974 branch. -- Father Chrysostomos
Subject: Re: [perl #105922] Questionable package name validation
Date: Thu, 5 Jul 2012 22:53:02 -0400
To: perl5-porters [...] perl.org
From: Ricardo Signes <perl.p5p [...] rjbs.manxome.org>
Download (untitled) / with headers
text/plain 451b
* Father Chrysostomos via RT <perlbug-comment@perl.org> [2012-07-04T15:36:35] Show quoted text
> Test::More fails its tests with the attachment, because it’s doing this: > > elsif( $error =~ /Can't call method "isa" without a package/ ) { > > but "anything"->isa("Wibble") will simply return false now, instead of > dying. > […] > I think Test::More’s tests will need a little bit of adjustment.
I think so, too. Schwern, what say you? -- rjbs
Download signature.asc
application/pgp-signature 490b

Message body not shown because it is not plain text.

Subject: Re: [perl #105922] Questionable package name validation
Date: Thu, 05 Jul 2012 20:25:44 -0700
To: perl5-porters [...] perl.org
From: Michael G Schwern <schwern [...] pobox.com>
Download (untitled) / with headers
text/plain 705b
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012.7.5 7:53 PM, Ricardo Signes wrote: Show quoted text
>> I think Test::More’s tests will need a little bit of adjustment.
> > I think so, too. > > Schwern, what say you?
I have no objection. - -- 24. Must not tell any officer that I am smarter than they are, especially if it's true. -- The 213 Things Skippy Is No Longer Allowed To Do In The U.S. Army http://skippyslist.com/list/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/2WrgACgkQWMohlhD1QyfosgCfQRSIoGkdAK7JGRJre4eKalZY 7H4AoIgg0sMRxmkfj6XIaVw8WmIvZBGE =9JuS -----END PGP SIGNATURE-----
RT-Send-CC: perl5-porters [...] perl.org
Fixed in 7156e69ab. -- Father Chrysostomos


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org