Re: Passing (poison) nulls in cookies

["Chuck D. Phillips" <cdp () peakpeak com>]

Max Vision writes:
> However perl uses a bash-type shell by default, which to the best of my
> understanding will always truncate an environment variable on a null.

Just a nit.  Actually, it is the UNIX API (based on C which also uses
NUL-terminated strings in its standard libraries) which truncates all
strings.  Thus, short of a misbehaving implementation, you can't actually
*store* a NUL in a UNIX environment variable.  Note that environment
variables are often stored internally in a single string as:

        Name=Value\x00

For these implementations, you also cannot have an environment variable
that contains an "=" in its *name*.  Subject further to filtering by
applications (including shells) before an environment variable is set, it
is typical that any character except NUL and "=" can be part of the name,
and any character except NUL can be part of the value.  (It is the *first*
"=" that separates name from value.)

FWIW, shell metacharacters are available on *both* sides of the "=" --
yet another reason for not using a shell when security is important.

        Chuck

P.S. Thanks for the info on csh/tcsh/ash/ksh special handling of NULs.