Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re: Security Checks for CPAN Module Authors

by cavac (Parson)
on Oct 22, 2018 at 10:37 UTC ( [id://1224475]=note: print w/replies, xml ) Need Help??


in reply to Security Checks for CPAN Module Authors

This might not be as trivial as you'd imagine. For example, a module might pull in some unsafe hashing algorithm module (like MD5) dynamically when asked to do so or as fallback option. Depending on a lot of circumstances, this might be a huge security problem (passwords without salt) or it might be OK to do so in support of some nonsecurity-related legacy requirement. And in the case of your application, it might not even load the module, just require it to be installed "just in case".

perl -e 'use MIME::Base64; print decode_base64("4pmsIE5ldmVyIGdvbm5hIGdpdmUgeW91IHVwCiAgTmV2ZXIgZ29ubmEgbGV0IHlvdSBkb3duLi4uIOKZqwo=");'

Replies are listed 'Best First'.
Re^2: Security Checks for CPAN Module Authors
by localshop (Monk) on Oct 25, 2018 at 15:44 UTC

    I was thinking a little less granular.

    For example if I run cpan-audit installed I see a warning for PathTools <3.62 so if I use File::Spec I simply enforce minimal version so that the Module user performs an update of this module.

    Actually that specific module probably not a great example as it's part of Core bundled packages but you get the idea. So wasn't thinking about going down to specific encryption algols etc but just looking at modules with versions that have security advisories that are simple enough to set minimal versions on without forcing a Perl version upgrade.

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://1224475]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others contemplating the Monastery: (None)
    As of 2024-04-25 03:58 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      No recent polls found