develooper Front page | perl.perl5.porters | Postings from August 2021

Re: CVE-2021-36770: loads code from outside expected @INC

Thread Previous | Thread Next
Achim Gratz
August 9, 2021 21:03
Re: CVE-2021-36770: loads code from outside expected @INC
Message ID:
"Ricardo Signes" writes:
> diff --git a/ b/
> index a56a999..9691382 100644
> --- a/
> +++ b/
> @@ -65,8 +65,8 @@ require Encode::Config;
>  eval {
>      local $SIG{__DIE__};
>      local $SIG{__WARN__};
> -    local @INC = @INC || ();
> -    pop @INC if $INC[-1] eq '.';
> +    local @INC = @INC;
> +    pop @INC if @INC && $INC[-1] eq '.';
>      require Encode::ConfigLocal;
>  };

Hmm, the original change in 3.05 looks… planted; and since is
XS-ed it gets baked in pretty hard.  Since that change precludes any
attempt to use Encode::ConfigLocal as intended, this also shows that the
distribution is missing a test for this functionality and that
practically nobody is using it or it should have been caught much
earlier.  :-(

Going back to CVE-2016-1238, why is "." in @INC only removed when it's
at the end (which used to be where it was by default)?  Shouldn't it be
sanitized regardless of position, or even more generally any
world-writable components of @INC?

+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Waldorf Blofeld:

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About