/ 
DBI-1.612
⭐ Starred 84
/ TASKS
Security Advisories (8)
CVE-2020-14393 (2020-09-16)

A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.

CVE-2020-14392 (2020-06-17)

An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability.

CVE-2019-20919 (2020-09-17)

An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference.

CPANSA-DBI-2014-01 (2014-10-15)

DBD::File drivers open files from folders other than specifically passed using the f_dir attribute.

CVE-2014-10402 (2020-09-16)

An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401.

CVE-2014-10401 (2020-09-11)

An issue was discovered in the DBI module before 1.632 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute.

CVE-2013-7491 (2020-09-11)

An issue was discovered in the DBI module before 1.628 for Perl. Stack corruption occurs when a user-defined function requires a non-trivial amount of memory and the Perl stack gets reallocated.

CVE-2013-7490 (2020-09-11)

An issue was discovered in the DBI module before 1.632 for Perl. Using many arguments to methods for Callbacks may lead to memory corruption.

NAME

TASKS - Want to help? These things need doing...

Increase test coverage

More tests need to be added to test the codes that not urrently being tested.

It's pretty poor right now:

http://pjcj.sytes.net/cover/latest/DBI-1.52/coverage.html

Start with improving the subroutine coverage

http://pjcj.sytes.net/cover/latest/DBI-1.52/blib-lib-DBI-pm--subroutine.html

Test the proxy

The current t/80proxy.t is isolated from the rest of the test suite so actually tests very little, and what it does test is duplicating other tests.

Ideally the proxy should be tested in the same way as DBI::PurePerl. In other words, by creating wrappers test files for each test file that set $ENV{DBI_AUTOPROXY} and run the original test. They'll also need to start and stop a proxy server.

Fixing bugs

The official bug list is here:

http://rt.cpan.org/NoAuth/Bugs.html?Dist=DBI

Naturally I'll offer direction and guidance on any you want to tackle. I've also got a few that could be entered into rt.cpan.org.

Others

General:

Protect trace_msg from SIGPIPE?
prepare(...,{ Err=>\my $isolated_err, ...})
Add trace module that just records the last N trace messages into an array
    and prepends them to any error message to provide context for the error.
Document DBI_PROFILE_FLOCK and LockFile attrib in DBI::ProfileData and DBI::ProfileDumper

Performance:

Move _new_sth to DBI::db::_new_sth (leave alias) and implement in C
    Or call _new_child and move to DBI::common?

Implement FETCH_many() in C

Add high-res dbi_time for windows - via Time::HiRes glob replace dbi_time()?