diff options
author | Tony Cook <tony@develop-help.com> | 2018-01-24 15:03:39 +1100 |
---|---|---|
committer | Tony Cook <tony@develop-help.com> | 2018-11-05 10:19:05 +1100 |
commit | e459aaffe40291395017cc002fc6d261e7cae0ae (patch) | |
tree | 2dae59e2da7acd1d1d1229ad485321e085e149ee | |
parent | f196658042490a6287fc178f0bc20fd5558ac54b (diff) | |
download | perl-e459aaffe40291395017cc002fc6d261e7cae0ae.tar.gz |
(perl #132147) add security warnings to the *DBM_File modules
-rw-r--r-- | ext/GDBM_File/GDBM_File.pm | 12 | ||||
-rw-r--r-- | ext/NDBM_File/NDBM_File.pm | 17 | ||||
-rw-r--r-- | ext/ODBM_File/ODBM_File.pm | 17 | ||||
-rw-r--r-- | ext/SDBM_File/SDBM_File.pm | 8 |
4 files changed, 54 insertions, 0 deletions
diff --git a/ext/GDBM_File/GDBM_File.pm b/ext/GDBM_File/GDBM_File.pm index a33b8b59b1..fe34470bd3 100644 --- a/ext/GDBM_File/GDBM_File.pm +++ b/ext/GDBM_File/GDBM_File.pm @@ -31,6 +31,18 @@ C<ftp.gnu.org>, but you are strongly urged to use one of the many mirrors. You can obtain a list of mirror sites from L<http://www.gnu.org/order/ftp.html>. +=head1 SECURITY AND PORTABILITY + +B<Do not accept GDBM files from untrusted sources.> + +GDBM files are not portable across platforms. + +The GDBM documentation doesn't imply that files from untrusted sources +can be safely used with C<libgdbm>. + +A maliciously crafted file might cause perl to crash or even expose a +security vulnerability. + =head1 BUGS The available functions and the gdbm/perl interface need to be documented. diff --git a/ext/NDBM_File/NDBM_File.pm b/ext/NDBM_File/NDBM_File.pm index fc250ec840..97c3917c92 100644 --- a/ext/NDBM_File/NDBM_File.pm +++ b/ext/NDBM_File/NDBM_File.pm @@ -104,6 +104,23 @@ This warning is emitted when you try to store a key or a value that is too long. It means that the change was not recorded in the database. See BUGS AND WARNINGS below. +=head1 SECURITY AND PORTABILITY + +B<Do not accept NDBM files from untrusted sources.> + +On modern Linux systems these are typically GDBM files, which are not +portable across platforms. + +The GDBM documentation doesn't imply that files from untrusted sources +can be safely used with C<libgdbm>. + +Systems that don't use GDBM compatibilty for ndbm support will be +using a platform specific library, possibly inherited from BSD +systems, where it may or may not be safe to use an untrusted file. + +A maliciously crafted file might cause perl to crash or even expose a +security vulnerability. + =head1 BUGS AND WARNINGS There are a number of limits on the size of the data that you can diff --git a/ext/ODBM_File/ODBM_File.pm b/ext/ODBM_File/ODBM_File.pm index 99799bc520..6d89a229f6 100644 --- a/ext/ODBM_File/ODBM_File.pm +++ b/ext/ODBM_File/ODBM_File.pm @@ -101,6 +101,23 @@ This warning is emitted when you try to store a key or a value that is too long. It means that the change was not recorded in the database. See BUGS AND WARNINGS below. +=head1 SECURITY AND PORTABILITY + +B<Do not accept ODBM files from untrusted sources.> + +On modern Linux systems these are typically GDBM files, which are not +portable across platforms. + +The GDBM documentation doesn't imply that files from untrusted sources +can be safely used with C<libgdbm>. + +Systems that don't use GDBM compatibilty for old dbm support will be +using a platform specific library, possibly inherited from BSD +systems, where it may or may not be safe to use an untrusted file. + +A maliciously crafted file might cause perl to crash or even expose a +security vulnerability. + =head1 BUGS AND WARNINGS There are a number of limits on the size of the data that you can diff --git a/ext/SDBM_File/SDBM_File.pm b/ext/SDBM_File/SDBM_File.pm index 5df9085760..7be9263417 100644 --- a/ext/SDBM_File/SDBM_File.pm +++ b/ext/SDBM_File/SDBM_File.pm @@ -119,6 +119,14 @@ This warning is emitted when you try to store a key or a value that is too long. It means that the change was not recorded in the database. See BUGS AND WARNINGS below. +=head1 SECURITY WARNING + +B<Do not accept SDBM files from untrusted sources!> + +The sdbm file format was designed for speed and convenience, not for +portability or security. A maliciously crafted file might cause perl to +crash or even expose a security vulnerability. + =head1 BUGS AND WARNINGS There are a number of limits on the size of the data that you can |