New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[demerphq] Re: fix for CVE-2014-4330 present in blead #14100
Comments
From @andk-------------------- Start of partially forwarded message -------------------- [...] cheers, How come this is not documented? It should be (if true). -- |
From @demerphqOn 19 September 2014 05:25, Andreas J. Koenig via RT <
I'm not sure exactly what you mean by "if true". I expressed an opinion that DD is generally unsuitable as a serialization The reason are as follows: DD is incapable of serializing correctly many of the data structures Perl As a debugging/diagnostics tool DD is pretty good, but even for that If you want to serialize Perl data then IMO you have a number of other 1. Storable Storable can represent *any* Perl data structure possible and is fast. It JSON is a relatively uncomplicated encoding format incapable of YAML appears to be able to represent most of not all (of the sane) Perl Sereal is designed as a replacement for Storable. It is more efficient both So from my point of view for pure serialization purposes Sereal is the best If you also want human readable output then you should pick YAML or JSON. If you just want to debug stuff then DD is plenty fine, although DDS is Yves -- |
The RT System itself - Status changed from 'new' to 'open' |
From @andk
> I expressed an opinion that DD is generally unsuitable as a serialization tool, Thank you. > The reason are as follows: > DD is incapable of serializing correctly many of the data structures Perl can This is documented. > DD is incapable of round tripping many data structures, This is documented. > even ones as simple as strings properly. I could not find this documented, can you please elaborate? > DD requires eval to deserialize, making its use as a serialization format This is documented. > Data::Undump somewhat addresses this, but only to a certain extent. This may be relevant but does not necessarily need to be documented. > As a debugging/diagnostics tool DD is pretty good, but even for that purpose Ditto. > If you want to serialize Perl data then IMO you have a number of other choices > [...] I don't think that the manpage for DD needs to mention all alternatives -- |
From @demerphqOn 20 September 2014 05:16, Andreas Koenig <
You are welcome. But I have to say I am bit confused as to the purpose of
Is it? I am unaware of them. An example of something DD doesnt dump right: perl -MData::Dumper -le'my @array; $array[0]=\$array[1];
Again, I am not familiar with where.
$ perl -MData::Dumper -le'my $str="hello\tthere\n"; utf8::upgrade($str); That $str is not going to eval back with the utf8 flag set. Another example: $ perl -MData::Dumper -le'my $str="\0\1\2"; utf8::upgrade($str); print That one actually I think is a regression, IIRC we used to output this as: $str = "\x{0}\x{1}\x{2}"; Which a module like Data::Undump uses to know that the string should end up Another example: perl -MData::Dumper -le'my $str="\0\1\2"; Internals::SvREADONLY($str,1); The readonly flag will not round trip.
Yes, I rather suspect it is.
Ok.
I would say that DD should probably reference DDS as an alternative.
Well, I thought the point of this thread was why people shouldnt think of And if it isnt it should probably reference modules that are. Yves -- |
From @andk
> On 20 September 2014 05:16, Andreas Koenig <
>>> I expressed an opinion that DD is generally unsuitable as a >> Thank you. > You are welcome. But I have to say I am bit confused as to the purpose of this The purpose of this ticket is trivial: you say DD is broken, I find this That said, I'm not sure where this ticket will lead us. If Data::Dumper >>> The reason are as follows: >>> DD is incapable of serializing correctly many of the data >> This is documented. > perl -MData::Dumper -le'my @array; $array[0]=\$array[1]; $array[1]=\$array[0]; I stand corrected, this seems undocumented. >>> DD is incapable of round tripping many data structures, >> This is documented. I suppose this extra paragraph is a subcase of the above example? I >>> even ones as simple as strings properly. >> I could not find this documented, can you please elaborate? > That $str is not going to eval back with the utf8 flag set. > Another example: > $ perl -MData::Dumper -le'my $str="\0\1\2"; utf8::upgrade($str); print > That one actually I think is a regression, IIRC we used to output this as: > $str = "\x{0}\x{1}\x{2}"; > Which a module like Data::Undump uses to know that the string should end up > Another example: > perl -MData::Dumper -le'my $str="\0\1\2"; Internals::SvREADONLY($str,1); Dump > The readonly flag will not round trip. Aha, these exampes look like you were talking about internal flags. >>> DD requires eval to deserialize, making its use as a serialization >> This is documented. > Yes, I rather suspect it is. Good. >> This may be relevant but does not necessarily need to be documented. Great. >>> As a debugging/diagnostics tool DD is pretty good, but even for >> Ditto. Fine by me. >>> If you want to serialize Perl data then IMO you have a number of >>> [...] >> I don't think that the manpage for DD needs to mention all alternatives > Well, I thought the point of this thread was why people shouldnt think of DD as The point of this ticket is to fix bugs, be it documentations bugs, > And if it isnt it should probably reference modules that are. Fine by me. Would you mind providing a patch? -- |
From @khwilliamsonOn Sat Sep 20 05:07:10 2014, andreas.koenig.7os6VVqR@franz.ak.mind.de wrote:
A CVE related bug seems like we should be addressing it |
Migrated from rt.perl.org#122807 (status was 'open')
Searchable as RT122807$
The text was updated successfully, but these errors were encountered: