Groups | Search | Server Info | Login | Register

Groups > perl.perl5.porters > #99829

Re: restrict legal identifier names for security

Show all headers | View raw

I like this in theory, but I'm not gonna read 100 pages of RFC to figure 
it out.

Do you have specific recommendations we could put in place today? Maybe 
an executive summary to get people on board?

-- Scottchiefbaker

On 1/26/2026 11:41 AM, Karl Williamson wrote:
> Accepting any combination of legal Unicode Identifier characters has 
> led to security problems.  Hence Unicode has added guidance that we 
> are not following.
>
> I'm proposing that the PSC and other interested parties familiarize 
> yourselves with https://www.unicode.org/reports/tr39/ "Unicode 
> Security Mechanisms" and https://www.unicode.org/reports/tr55/ 
> "Unicode Source Code Handling" so that we can discuss which we might 
> want to implement.
> I think it's a no brainer that we stop accept deprecated characters 
> (there are 20-ish of these).  But there's much more there.
>
> The benefits are fewer potential security holes, including many none 
> of us on this project has the background to be aware of.  We would be 
> using accumulated knowledge from bitter experiences of others.  This 
> could detect existing trojans and we could get them removed.
>
> The downside is we might break existing legitimate code.  The more 
> restrictions we impose, the more likely there is breakage.  This could 
> be alleviated by enabling some restrictions only under a 'use v5.xx'
>
>

Back to perl.perl5.porters | Previous | Next — Previous in thread | Find similar

Thread

restrict legal identifier names for security perl@khwilliamson.com (Karl Williamson) - 2026-01-26 12:41 -0700
  Re: restrict legal identifier names for security scott@perturb.org (Scott Baker) - 2026-01-26 17:56 -0800

csiph-web