Date: Sun, 12 Sep 1999 17:52:54 -0700 From: Gurusamy Sarathy <gsar@ActiveState.com> To: Ilya Zakharevich <ilya@math.ohio-state.edu> Cc: gsar@activestate.com (Gurusamy Sarathy), muir@idiom.com (David Muir Sharnoff), perl5-porters@perl.org, freebsd-bugs@freebsd.org Subject: Re: [ID 19990727.005] sprintf considered insecure? Message-ID: <199909130052.RAA28751@activestate.com> In-Reply-To: Your message of "Sun, 12 Sep 1999 18:10:33 EDT." <199909122210.SAA16630@monk.mps.ohio-state.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 12 Sep 1999 18:10:33 EDT, Ilya Zakharevich wrote: >Gurusamy Sarathy writes: >> ==== //depot/perl/perl.c#166 (text) ==== >> Index: perl/perl.c >> --- perl/perl.c.~1~ Sun Sep 12 13:09:05 1999 >> +++ perl/perl.c Sun Sep 12 13:09:05 1999 >> @@ -409,6 +409,11 @@ [...] >Can you reconfigure your diff-extractor to give diff the options -p? No (unfortunately). The diff is handled internally in the perforce server. One *could* write a script to fetch the files before and after and do the diff using GNU diff (Porting/p4d2p would be the place to patch, if you're feeling up to it). It would run much slower, though, because you will have to fetch the entire file twice (as opposed to fetching the very fast server diff just once). Which probably means I won't use it anyway. ;-) >> +To cope with broken systems that allow the standard locales to be >> +overridden by malicious users, the return value may be tainted >> +if any of the floating point formats are used and the conversion >> +yields something that doesn't look like a normal C-locale floating >> +point number. This happens regardless of whether C<use locale> is >> +in effect or not. > >Why this in 'no locale' situation? Do you do the same for the >NOK===>POK conversions? No, but I'm glad you asked. Perhaps Chip can tell us why only s?printf() are treated this way. Frankly, I'd rather Perl didn't consider the C/POSIX locale untrustworthy, but this behavior has been there since 5.004. Whatever the reasons, it appears NV->PV conversions had a better argument for the behavior than s?printf() because the latter is always forced to be in the C/POSIX locale while the former is not. Sarathy gsar@activestate.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909130052.RAA28751>