Release 0.9.15


Security fix

Only Windows version is affected.

If you ran .bat or .cmd via sys-exec (or other higher-level APIs such as run-process), certain crafted command-line argument could invoke external commands: https://kb.cert.org/vuls/id/123335

In Gauche, the effect is limited because the user need to give .bat or .cmd extensions explicitly to run those files, so the user code can check unsafe arguments as well. Nevertheless, it is better not to have holes.

Now, if you're trying to run a .bat or .cmd file and the argument contains one of "unsafe" characters, an error is thrown. (Issue:1017)

Other important fixes

build-standalone was broken

You couldn't build a standalone binary with 0.9.14, for it introduced an unintended dependency on private header files (which is only available when you have a source tree). It is addressed. Issue:1013.

TLS handshake error in newer MbedTLS

When you tried to use TLS server socket with newer MbedTLS, clients failed to connect with TLS handshake error. It is fixed.

Besides, if you configure with --with-tls=mbedtls-internal, it now uses MbedTLS 3.5.2. Issue:1018,Issue:1021.

O(n) in size-of method

The size-of method returns a size of a collection. Since the minimal requirement of collection protocol is an iterator, the default method of size-of iterates over all elements to count them. It happened that built-in hashtables and treemaps didn't specialize size-of, it caused O(n) instead of O(1). Now those methods are specialized, and documentation warns this fallback behavior. Issue:987.

Compatibility warnings

Legacy argument keywords for define-cproc

At the beginning, C interface (define-cproc) used CL-style lambda keywords such as &optional. We switched to keywords :optional loooong time ago, but we've supported the old style. We plan to drop it. If you see this warning, please update the source.

'#<undef> is used in boolean context'

This warning is off by default, but we recommend you to turn it on by setting the environment variable GAUCHE_CHECK_UNDEFINED_TEST. This warning is issued when #<undef> appears as the result of a test expression of conditional branch.

This feature has been in for a while, but we plan to turn the warning on by default in the next release or so, thus we bring this up again.

See Nasty undefined, for the details.

New modules & procedures

Other bug fixes


Last modified : 2024/04/24 00:26:54 UTC