develooper Front page | perl.perl5.porters | Postings from December 2012

Re: security notice: Locale::Maketext

Thread Previous | Thread Next
Thomas Sibley
December 5, 2012 21:43
Re: security notice: Locale::Maketext
Message ID:
On 12/05/2012 07:51 AM, Ricardo Signes wrote:
> Locale::Maketext is a core l10n library that expands templates found in
> strings.
> Two problems were found, reported, and patched-for by Brian Carlson of cPanel,
> and these fixes are now in blead and on the CPAN.
> The commit in question is
> The flaws are:
> * in a [method,x,y,z] template, the method could be a fully-qualified name
> * template expansion did not properly quote metacharacters, allowing
>   code injection through a malicious template
> Please upgrade your Locale::Maketext, especially if you allow user-provided
> templates.

The commit mentioned above prevents cross-package method calls, but
still leaves any of the methods in the Locale::Maketext subclass wide
open.  This makes it easy for a security problem to crop up again.

For example: _try_use is a near miss.  If, through seemingly harmless
cleanup, it's ever made into a method, it will allow arbitrary eval via

Another example: User provided loc-strings have full access to
CORE::sprintf() via Locale::Maketext::sprintf(), and generally
user-provided format strings are a red flag (although not necessarily
exploitable in the current maketext implementation).

Existing subclasses, though not Perl's responsibility, may already have
viable attack vectors via added methods.  Upgrading Locale::Maketext
won't fix those, and there should probably be some doc warning subclass
authors (i.e. any Locale::Maketext user :) about it so that they don't
think upgrading is the complete fix.


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About