Re: plperl security

Tom Lane wrote:

>Andrew Dunstan <andrew@dunslane.net> writes:
>  
>
>>Currently we have this in plperl.c:
>>  "require Safe;"
>>I am thinking of submitting a patch to replace this with "use Safe 
>>2.09;" to enforce use of a version without the known vulnerability.
>>    
>>
>
>This would break both plperl and plperlu on older Perls.  Please see
>if you can avoid breaking plperlu.
>
>For that matter, does plperl.c really cope properly with a failure in
>this code at all?  I sure don't see anything that looks like error
>handling in plperl_init_interp().
>
>
>  
>

I will look at it. It will probably require some non-trivial rework.

I do agree that we should not break more old stuff than is necessary.

cheers

andrew