develooper Front page | perl.perl5.porters | Postings from August 2016

Re: Alternative Fix for base.pm dot-in-INC mechanic.

Thread Previous | Thread Next
From:
Kent Fredric
Date:
August 25, 2016 04:21
Subject:
Re: Alternative Fix for base.pm dot-in-INC mechanic.
Message ID:
CAATnKFBPAjr9sZkYiNH+1igfN5g_EO8SX07tUrVb9DUjNwWvHQ@mail.gmail.com
On 25 August 2016 at 09:31, Todd E Rinaldo <toddr@cpanel.net> wrote:
> I'm not aware of any other changes being as risky?

A short list of things that I've found that appear to be "require proxies":

CPAN.pm : has_usable
Digest.pm : new
Memoize.pm : _my_tie
Pod/Perldoc.pm :  find_good_formatter_class
Net/Config.pm :  # the whole module
IO.pm : import
Locale/MakeText.pm : _try_use

There are probably more, but this is just what I picked out from
comparing 5.24.0 and 5.24.1-RC3

Details:


CPAN.pm:

@@ -1104,6 +1104,8 @@ sub has_usable {
                                ]
               };
     if ($usable->{$mod}) {
+        local @INC = @INC;
+        pop @INC if $INC[-1] eq '.';
         for my $c (0..$#{$usable->{$mod}}) {
             my $code = $usable->{$mod}[$c];
             my $ret = eval { &$code() };


But don't think that's a concern path unless people call that code
from arbitrary locations outside CPAN.pm

Digest.pm:


@@ -38,7 +38,11 @@ sub new
         unless (exists ${"$class\::"}{"VERSION"}) {
             my $pm_file = $class . ".pm";
             $pm_file =~ s{::}{/}g;
-            eval { require $pm_file };
+            eval {
+                local @INC = @INC;
+                pop @INC if $INC[-1] eq '.';
+                require $pm_file
+           };
             if ($@) {
                 $err ||= $@;
                 next;


Digest->new($name)

Is essentially

require $name; $name->new();

But security vectors involving Digest should be very carefully looked
at, because a dodgy Digest module can do a lot of fun things.

Memoize.pm:

@@ -184,7 +184,11 @@ sub _my_tie {
   }
   my $modulefile = $module . '.pm';
   $modulefile =~ s{::}{/}g;
-  eval { require $modulefile };
+  eval {
+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
+    require $modulefile
+  };
   if ($


https://metacpan.org/pod/Memoize#TIE

memoize ... ['TIE', PACKAGE, ARGS...]

is merely a shortcut for

require PACKAGE;
{ tie my %cache, PACKAGE, ARGS...;
  memoize ... [HASH => \%cache];
}



Pod/Perldoc.pm:

@@ -575,6 +575,9 @@ sub find_good_formatter_class {
   my @class_list = @{ $self->{'formatter_classes'} || [] };
   $self->die( "WHAT?  Nothing in the formatter class list!?" ) unless
@class_list;

+  local @INC = @INC;
+  pop @INC if $INC[-1] eq '.';
+
   my $good_class_found;
   foreach my $c (@class_list) {
     DEBUG > 4 and print "Trying to load $c...\n";
@@ -1006,6 +1009,8 @@ sub new_translator { # $tr = $self->new_translator($lang);
     my $self = shift;
     my $lang = shift;

+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
     my $pack = 'POD2::' . uc($lang);
     eval "require $pack";
     if ( !$@ && $pack->can('new') ) {


These affect loading of arbitrarily specified command line Module
names, and might be cause for concern,
but "changing @INC in a module loaded by perldoc specified on the
command line" strikes me as weird in itself.


libnet's Net/Config.pm:

-eval { local $SIG{__DIE__}; require Net::LocalCfg };
+eval {
+  local @INC = @INC;
+  pop @INC if $INC[-1] eq '.';
+  local $SIG{__DIE__};
+  require Net::LocalCfg;
+};

^^ I don't actually know what this is doing/expected to do here, not
enough detail.

But if Net::LocalCfg is a file where the user is expected to dump
arbitrary code?


eh.

IO.pm:


@@ -18,6 +18,8 @@ sub import {

     my @l = @_ ? @_ : qw(Handle Seekable File Pipe Socket Dir);

+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
     eval join("", map { "require IO::" . (/(\w+)/)[0] . ";\n" } @l)
        or croak $@;

I'm Gonna be sick just looking at this. But suffice to say :
https://metacpan.org/source/SHAY/perl-5.24.1-RC3//dist/IO/IO.pm#L13

If you pass arguments to `use IO `, it degreades to a "require proxy".

     use IO "CaptureOutput";

and

    use IO::CaptureOutput;

Do the same thing ( well, mostly ).


Locale/Maketext.pm

@@ -449,6 +449,8 @@ sub _try_use {   # Basically a wrapper around
"require Modulename"

     local $SIG{'__DIE__'};
     local $@;
+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
     eval "require $module"; # used to be "use $module", but no point in that.

     if($@) {


User triggerable via:

https://metacpan.org/source/SHAY/perl-5.24.1-RC3//dist/Locale-Maketext/lib/Locale/Maketext.pm#L302-336






-- 
Kent

KENTNL - https://metacpan.org/author/KENTNL

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About