develooper Front page | perl.perl5.porters | Postings from December 2012

Re: security notice: Locale::Maketext

Thread Previous | Thread Next
From:
Thomas Sibley
Date:
December 5, 2012 21:43
Subject:
Re: security notice: Locale::Maketext
Message ID:
50BFBFFD.2000806@bestpractical.com
On 12/05/2012 07:51 AM, Ricardo Signes wrote:
> Locale::Maketext is a core l10n library that expands templates found in
> strings.
> 
> Two problems were found, reported, and patched-for by Brian Carlson of cPanel,
> and these fixes are now in blead and on the CPAN.
> 
> The commit in question is
> http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
> 
> The flaws are:
> 
> * in a [method,x,y,z] template, the method could be a fully-qualified name
> * template expansion did not properly quote metacharacters, allowing
>   code injection through a malicious template
> 
> Please upgrade your Locale::Maketext, especially if you allow user-provided
> templates.

The commit mentioned above prevents cross-package method calls, but
still leaves any of the methods in the Locale::Maketext subclass wide
open.  This makes it easy for a security problem to crop up again.

For example: _try_use is a near miss.  If, through seemingly harmless
cleanup, it's ever made into a method, it will allow arbitrary eval via
loc-strings.

Another example: User provided loc-strings have full access to
CORE::sprintf() via Locale::Maketext::sprintf(), and generally
user-provided format strings are a red flag (although not necessarily
exploitable in the current maketext implementation).

Existing subclasses, though not Perl's responsibility, may already have
viable attack vectors via added methods.  Upgrading Locale::Maketext
won't fix those, and there should probably be some doc warning subclass
authors (i.e. any Locale::Maketext user :) about it so that they don't
think upgrading is the complete fix.

Thomas

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About