Open leonerd opened 3 weeks ago
The only exploit I could see is someone sending a stream of numbers, getting them converted to characters, and having that eval
ed. Unlikely, but not impossible? Seems like chr
should be tainted out of an abundance of caution.
Edit: or used as a filename, or many other use cases. I wasn't thinking this through, which, I suppose, it what black hats want.
On Tue, Apr 23, 2024 at 07:42:52AM -0700, Paul Evans wrote:
I express no opinion on whether this is a bug in
chr()
that needs fixing, or simply a note needs adding to the documentation somewhere to explain that this is the case.
Smells like a bug to me.
-- Fire extinguisher (n) a device for holding open fire doors.
I agree with @iabyn
While in practice it's hard to see how to use this as an exploit, nonetheless it remains the case that the
chr()
core op loses tainting of its value, whereas symmetricallyord()
preserves it.But
no output.
This fact is not mentioned in
perlsec
nor inperldoc -f chr
.I express no opinion on whether this is a bug in
chr()
that needs fixing, or simply a note needs adding to the documentation somewhere to explain that this is the case.