Front page | perl.perl5.porters |
Postings from August 2021
"Ricardo Signes" writes:
> diff --git a/Encode.pm b/Encode.pm
> index a56a999..9691382 100644
> --- a/Encode.pm
> +++ b/Encode.pm
> @@ -65,8 +65,8 @@ require Encode::Config;
> eval {
> local $SIG{__DIE__};
> local $SIG{__WARN__};
> - local @INC = @INC || ();
> - pop @INC if $INC[-1] eq '.';
> + local @INC = @INC;
> + pop @INC if @INC && $INC[-1] eq '.';
> require Encode::ConfigLocal;
> };
Hmm, the original change in 3.05 looks… planted; and since Encode.pm is
XS-ed it gets baked in pretty hard. Since that change precludes any
attempt to use Encode::ConfigLocal as intended, this also shows that the
distribution is missing a test for this functionality and that
practically nobody is using it or it should have been caught much
earlier. :-(
Going back to CVE-2016-1238, why is "." in @INC only removed when it's
at the end (which used to be where it was by default)? Shouldn't it be
sanitized regardless of position, or even more generally any
world-writable components of @INC?
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
Wavetables for the Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#BlofeldUserWavetables
Thread Previous
|
Thread Next