It wouldn't break anything in existing CGI programs unless you made it mandatory. It could help very much to make it available and to not enforce any such limit unless someone calls the method. That way, adding one line to the code provides the security.

This shouldn't be kept to just CGI.pm, of course. Any program or module which currently takes outside data and stuffs it into a hash should be modified with the same sort of logic if the Perl hash implementation isn't going to be changed.

I don't know what Larry would say to BSD licensed code in every case, but I am pretty sure the default answer is that perl is licensed under Artisitic License / GPL, and therefore will not take on the BSD license. That pretty much would kill the inclusion of the code developed by the authors of that paper which they recommend and which is BSD licensed.

Adding the logic to only accept certain keys for hashes at the language level is likely to be a real performance killer, although it'd be kind of neat. Probably, though, the way to go will be to do this at the module or application level, as applicable.

Christopher E. Stith
use coffee;