develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
Jan Dubois
Date:
October 1, 2012 17:55
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
F160D129-0542-4FF5-96A7-3878299219D0@activestate.com

On 2012-10-01, at 5:11 PM, Jesse Luehrs <doy@tozt.net> wrote:
> Just because your patches were applied doesn't mean that they were
> *security* bugs. I agree that it's probably a bug that 'require
> "foo.pl\0bar"' sets $INC{"foo.pl\0bar"} instead of $INC{"foo.pl"}, and I
> think it probably should be fixed, but I still haven't seen any evidence
> that this is a *security* bug. There is a difference.

Why? %INC contains the filename in exactly the same format as you
specified it in the require statement:

$ perl -E 'require "foo.pm"; /foo/ && say for keys %INC'
foo.pm
$ perl -E 'require "./foo.pm"; /foo/ && say for keys %INC'
./foo.pm
$ perl -E 'require "../jan/foo.pm"; /foo/ && say for keys %INC'
../jan/foo.pm
$ perl -E 'require "foo.pm\0bar.pm"; /foo/ && say for keys %INC'
foo.pmbar.pm

What makes the last one special, so that it needs to be "normalized",
but the other 3 can be left as-is?  %INC is just a heuristic to try to prevent
the same file from being compiled multiple times.  It is easily fooled too:

$ echo 'print "hi\n"' > foo.pm
$ perl -E 'require "foo.pm"; require "./foo.pm"; /foo/ && say for keys %INC'
hi
hi
./foo.pm
foo.pm

To me this is not a bug, just a limitation of the optimization.

Cheers,
-Jan
Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About