On Tue, 30 Aug 2005, Jonathan Vanasco wrote: > are there any worries for security overflows / memory leaks, having compiled > that stuff into c or xs (its one of those, right?) under mod_perl
Sure, it's worth worrying about. Anything written in C can potentially have a buffer-overflow bug or a memory leak, include Perl itself. One way to mitigate against a bug like this is to use taint checking. If you carefully check all input from the user then exploiting a buffer-overflow becomes much harder, ideally impossible. > under regular perl, that stuff would just die at the end of the script/post > execution - under mod_perl does it die after execution and then is respawned > or is it still running? You might want to read about buffer-overflow vulnerabilities. If one did actually exist and was remotely exploitable then the Apache process would actually run code written by the attacker. This isn't just about crashing the server, it's a break-in scenario. This goes for buffer-overflows in XS modules like HTML::Template::JIT as well as one that might exist in Perl itself. -sam
