Groups | Search | Server Info | Login | Register

Groups > perl.perl5.porters > #99828

restrict legal identifier names for security

Newsgroups perl.perl5.porters
Message-ID <4d9c3439-0b37-4a1d-a653-f01fbc8cb8c2@khwilliamson.com> (permalink)
Date 2026-01-26 12:41 -0700
Subject restrict legal identifier names for security
From perl@khwilliamson.com (Karl Williamson)

Show all headers | View raw

Accepting any combination of legal Unicode Identifier characters has led 
to security problems.  Hence Unicode has added guidance that we are not 
following.

I'm proposing that the PSC and other interested parties familiarize 
yourselves with https://www.unicode.org/reports/tr39/ "Unicode Security 
Mechanisms" and https://www.unicode.org/reports/tr55/ "Unicode Source 
Code Handling" so that we can discuss which we might want to implement.
I think it's a no brainer that we stop accept deprecated characters 
(there are 20-ish of these).  But there's much more there.

The benefits are fewer potential security holes, including many none of 
us on this project has the background to be aware of.  We would be using 
accumulated knowledge from bitter experiences of others.  This could 
detect existing trojans and we could get them removed.

The downside is we might break existing legitimate code.  The more 
restrictions we impose, the more likely there is breakage.  This could 
be alleviated by enabling some restrictions only under a 'use v5.xx'

Back to perl.perl5.porters | Previous | NextNext in thread | Find similar

Thread

restrict legal identifier names for security perl@khwilliamson.com (Karl Williamson) - 2026-01-26 12:41 -0700
  Re: restrict legal identifier names for security scott@perturb.org (Scott Baker) - 2026-01-26 17:56 -0800

csiph-web