On Friday, September 20, 2002, at 09:38 PM, Jerry LeVan wrote:
> Hi, I undef'ed the locale stuff in hints.sh and have not noticed any
> evil to
> this point.
>
> # Locales aren't feeling well.
> #LC_ALL=C; export LC_ALL;
> #LANG=C; export LANG;
> d_setlocale=undef;
Sure you can do this, just as you can achieve the same effect by setting
$ENV{BADLANG} to 0, it doesn't affect the performance of your box or
perl directly, but it also doesn't deal with the underlying problem,
quoting from perllocal's sternly chiding security section:
> Perl cannot protect you from all possibilities shown in the
> examples--there is no substitute
> for your own vigilance--but, when "use locale" is in effect, Perl uses
> the tainting
> mechanism (see the perlsec manpage) to mark string results that become
> locale-dependent,
> and which may be untrustworthy in consequence.
just above this, the same pod gives some examples of exploits which
could be facilitated by not having the locale set properly, admittedly
though they're not exactly doom-ladenly dangerous, but to my mind
anything which can potentially mess up regex interpolation and character
recognition can't be a good thing - which is why I wasn't happy with
using either of the above methods to shut perl up.
Oh alright, and to get the personal satisfaction of actually having
'finished' an installation (I kept envisioning perl as being that half
dismantled washing machine in the garage that you wanted to fix but
never actually get around to putting back together).
Robin
