Bug#880368: YAML::XS::Load expects utf8 octets, not perl's encoding; use slurp_raw
Dominique Dumont
dod at debian.org
Sun Nov 5 17:32:48 UTC 2017
On Monday, 30 October 2017 15:27:32 CET you wrote:
> YAML::XS::Load (and *hopefully* the other implementations of
> YAML::Any::Load?) expect utf8 octets on input, not perl's internal
> encoding.
Uh ? I thought I had gotten rid of YAML::Any... Well, after checking, it turns
out that I've updated Config;:Model::Backend::Yaml, but I forgot to update
Dpkg::Scanner.
Anyway, using YAML::Any has several problems:
- it's deprecated
- it may load YAML or YAML::XS which have some security issues [1]
> Thus, slurp_raw should be used instead of slurp_utf8. [Though really,
> YAML::XS::Load should probably do the right thing if is_utf8 is on,
> anyway.]
Unfortunately, the strings returned by YAML::XS is not tagged as utf-8, which
leads to writing mojibake when cme is used to update debian/copyright.
Given the security issues of YAML and YAML::XS, I'm not going to tweak the
structure returned by YAML::XS to fix the utf8 flag of each scalar contained
the structure (and may be all hash keys ..)
Instead, I'm going to replace YAML::Any with YAML::Tiny (which is more than
enough in this case).
Thanks for the report . This helps me improve dpkg model for cme (and led to
the release of Config::Model::Tester 3.003 which did not handle utf-8
correctly while checking file content).
All the best
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862373
--
https://github.com/dod38fr/ -o- http://search.cpan.org/~ddumont/
http://ddumont.wordpress.com/ -o- irc: dod at irc.debian.org
More information about the pkg-perl-maintainers
mailing list