The Perl community has updated the core module Sys::Syslog to help alleviate a security hole in the Webmin web administration package. All Webmin users should update immediately to the updated version of Sys::Syslog.
Continue reading "Updated Perl modules alleviate Webmin security flaw" »
The Perl community has released a fix to the sprintf function that was recently discovered to have a buffer overflow in very specific cases. All Perl users should consider updating immediately.
(This is re-posted from a general announcement made by Jesse Vincent, Perl 6 Project Manager. -- Andy Lester, Perl Foundation PR)
Over the past several years, one key aspect of the migration plan to Perl 6 has been the Ponie project, a fusion of the Perl 5 runtime with Parrot. Sponsored by Fotango, Artur Bergman and Nicholas Clark did a heroic job cleaning up Perl's internals to make it possible to replace some components of Perl 5 with Parrot, one piece at a time, while still keeping the core of the Perl 5 runtime intact with 100% bug-for-bug compatibility. Along the way, Nicholas ported several significant Perl core improvements from Ponie back to the Perl 5.9 tree.
Ponie never really became a community project. All significant work was done as part of Fotango's sponsorship. When it had good momentum and sponsored developers, it needed a number of Parrot features that weren't yet available. At this point, Ponie has not been in active development for almost half a year and it's my unhappy duty to declare the project dead.
Norman Nunley is currently working to do a final extraction of unharvested improvements from the Ponie code before we put it out to pasture. Lots of good came out of Ponie, just not the good things we expected.
A number of very talented hackers are currently exploring multiple strategies to enable most Perl 5 code to run seamlessly along side Perl 6 in Parrot. Folks have already demonstrated a proof-of-concept Parrot VM embedded in the Perl 5 runtime. Work is underway on a Perl 5 to Perl 6 translator and the existing Perl 6 compiler on Parrot is the proof of concept for a similar implementation of a "regularized" Perl 5. At this point, it wouldn't be reasonable to bless any one right way forward but each of these techniques (and possibly others) could play a part in whatever "5 on 6" scheme we end up with. No matter what happens, we're committed to making your Perl 5 code play well with new Perl 6 code.
The Chicago Perl Mongers and The Perl Foundation are proud to announce the Fall 2006 Chicago Hackathon, the weekend of November 10-12, 2006 in suburban Crystal Lake, IL. It will be a round-the-clock weekend of programming on Perl-related projects with your colleagues in the open source community. Dozens of programmers from the open source community in the midwest, as well as others from around the US, will be getting together to share ideas, work on code, and move their Perl-related projects forward.
The participants set the agenda for what we'll be working on, but Perl 6 and Parrot are already on the roster of projects. Chip Salzenberg, pumpking for the Parrot project, will be on hand to help with Parrot and Perl 6. Andy Lester will also be driving some Parrot maintenance tasks, and other midwest programmers will be working on their own projects. There's sure to be something interesting for everyone!
Participation in the hackathon costs nothing. The Perl Foundation is even providing hotel rooms at a special rate if you want to spend the night. Even if you're in the area for just an hour, stop by, grab a snack or some pizza and talk with other people interested in Perl. You might contribute more than you think just by talking with other programmers.
To find out more, visit http://hackathon.info. If you'll be attending, please sign in on the Attendees wiki page, and/or email rsvp@hackathon.info. You can also send questions to Andy Lester at andy@hackathon.info
John Wang has a great blog entry titled Perl 5 Powering Web 2.0 that points at all the web apps out there that are done in good ol' Perl 5.
You don't have to have Rails to do amazing things with the web. You want frameworks, we got frameworks!
Mark Stosberg wrote a great article on perlmonks called "Take Back Your Modules" about the responsibilities module users have for the modules they use.
This week the Perl community lost one of its long time contributors, Nick Ing-Simmons, who died of a heart attack on Monday September 25th 2006.
Nick joined the Perl community in the early days of Perl 5. He consistently contributed to the perl5-porters mailing list and later became pumpkin for 5.003_02 where he added the initial implementation of the PerlIO layer.
Nick is probably best known for his work on the Tk and Encode modules. Tk was initially born out of frustration that perl didn't have a native GUI at the time. Nick tirelessly developed Tk for over a decade. Tk often influenced the development of the perl internals through its aggressive use of XS.
Nick was an intelligent person with a willingness to share his knowledge to help others and one who had a great passion about everything he did.
Our deepest condolences go out to his long time partner, Medi, and all those close to him.
The Perl community owes a lot to Nick so I am sure many will join us in saying
"Thanks Nick"
The three most common types of security vulnerabilities in 2005 were cross-site scripting (16.0%), SQL injection (12.9%) and buffer overflows (9.8%). So far in 2005, buffer overflows has lost the #3 place to PHP remote includes.
The good news is that Perl has long had capabilities in the language and its most common libraries that effectively shut down many of these attacks.
It's not surprising that buffer overflows are on the way out. Perl programmers have long been able to not worry about buffer overflows. Dynamic strings mean no buffer overruns. Fortunately, all the new dynamic languages like Ruby, Python and PHP have dynamic strings as well, leaving only C and C++ programmers having to worry about the size of their malloc buffers.
Where Perl shines in web security is with its built-in "taint mode". When taint mode is enabled, all data from an external source, such as from a web input form, is assumed to be untrusted and tainted. If a user types in her name, the resulting string is marked internally as tainted. Most of the time, this effect is invisible.
Perl will print out the the user's name, because no matter what $name is, it doesn't present a security risk. However, consider this common rookie programmer mistake.print "Hello, $name, glad to see you.\n";
$dbh = ... code to make a database connection ...;
$dbh->do( "insert into visitors (name) values ('$name')" );
That works fine for values of $name like "Bob Smith", but consider a string like:
Your SQL expands out into'); drop table visitors;
insert into visitors (name) values (''); drop table visitors;')
That results in three statements, separated by semicolons: One inserts an empty value in the "visitors" table, the second deletes the "visitors" table, and the third a syntax error. The effect is that one well-crafted string from a miscreant means you've lost your data table. The possibilities are endless.
Of course, DBI handles the safe way of doing SQL calls, using placeholders:
The data is passed to DBI, but entirely separately from the command. The command is not created using tainted data, so is safe for DBI to execute.$sth = $dbh->prepare( "insert into visitors (name) values (?)" ); $sth->execute( $name );
SQL injection prevention is just the beginning of the value of taint mode to Perl programmers. Tainted data also can't be used for executing system commands or reading source code, as in the PHP remote include exploits. For a more thorough discussion of how taint mode works, and why you want it on in every web program you write, see the perlsec documentation for Perl with perldoc perlsec, or online at http://perldoc.perl.org/perlsec.html
I hope that other dynamic languages continue to borrow Perl's features and add explicit taint-mode checking to their bags of tricks. Modern web development demands it.
First, the traditional Perl Advent Calendar informs you about a snazzy module every day until the 25th, with requisite RSS feed for those of you practicing one of the three virtues this holiday season.
Next, for Catalyst users, or those who'd like to start, the Catalyst Advent Calendar brings a daily tip for those interested in this increasingly popular framework.
Finally, brian d foy has created a Perl Community calendar on Google Calendar. Follow it via XML, iCal, and HTML.
I often hear this:
"I'd get involved in Perl, but all the cool stuff is done and there's no room to make a name for myself. No one needs another DBI module..."
or even:
"All the cool kids are using (Ruby/Python/TI-994A Extended Basic) because they don't have CPAN yet and they can become the uber-programmer for the cool modules."
Well, to these I say, "Nonsense!" There is a ton of work to be done for Perl today, right now. And it's crucially important work. So whenever I come across something that I think is really important, I'm going to post it with the heading 'Help Wanted.'
Criteria: This isn't going to be stuff like, "We need someone to fix this RT ticket for this module." I'm going to try to post stuff that I feel is truly important to Perl and would be useful to many people. I'll also try to post any progress if I hear about it.
Interested? Go check out the first posting for SOAP::Lite.
Here's my first Help Wanted entry. SOAP::Lite needs your help. Byrne Reese has posted a good assessment of the state of the SOAP::Lite. Read on for details.
This page contains an archive of all entries posted to The Perl Foundation in the Perl 5 Development category. They are listed from oldest to newest.
Parrot development is the previous category.
Perl 6 Development is the next category.
Many more can be found on the main index page or by looking through the archives.