Re: Bug#776270: perl: CVE-2012-3878 module loading security weakness

Front page | perl.perl5.porters | Postings from October 2015

Re: Bug#776270: perl: CVE-2012-3878 module loading security weakness

Thread Previous

From:

Reini Urban

Date:

October 1, 2015 15:37

Subject:

Re: Bug#776270: perl: CVE-2012-3878 module loading security weakness

Message ID:

F1B3202C-5734-463D-B293-CDECB91CAD85@gmail.com

> On Oct 1, 2015, at 2:41 PM, Reini Urban <reini.urban@gmail.com> wrote:
> regarding the 3 commits:
> 
> 3d83cce Treat require ::foo::bar; the same as require foo::bar;
> 
> One could think of treating ::foo::bar as main::foo:bar instead, and main as implicit stash root is 
> never looked up on disc. so the alternative variant would be to treat it as syntax error.
> 
> 5fc2378 Split the guts of pp_require into S_require_version() and S_require_file().
> 
> Optional. require is not hot, so why not.
> 
> 5d1f12f Validate the module filename created for bareword require.
> 
> The important missing part.

You can take the fixes from my branch:
https://github.com/perl11/cperl/issues/58 
(3 commits)

As you’ll see I treat a starting :: bareword for require as error, 
and didn’t split pp_require into 2 parts.

Thread Previous

Re: Bug#776270: perl: CVE-2012-3878 module loading security weakness by Dominic Hargreaves

Re: Bug#776270: perl: CVE-2012-3878 module loading security weakness by Salvatore Bonaccorso
Re: Bug#776270: perl: CVE-2012-3878 module loading security weakness by Dave Mitchell

Re: Bug#776270: perl: CVE-2012-3878 module loading security weakness by Reini Urban

Re: Bug#776270: perl: CVE-2012-3878 module loading security weakness by Reini Urban

nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About