develooper Front page | perl.perl5.porters | Postings from August 2021

Re: CVE-2021-36770: loads code from outside expected @INC

Thread Previous | Thread Next
August 10, 2021 05:25
Re: CVE-2021-36770: loads code from outside expected @INC
Message ID:
Dan Book writes:
> It's quite different to account for the default behavior of Perl up
> until 5.26, than to account for anyone's modification of @INC which
> may have a good reason (and if you want to protect against that, you
> must remove any relative path from @INC, not just '.').

The attack vector doesn't depend on the path being relative.

Looking at enc2xs, I'm wondering if the search path could / should be
restricted to $INC{""}, which would be safe by default and
explicitly set up to differ from the default by the user otherwise.
While it's possible to put a generated ConfigLocal someplace else after
the fact with the current implementation, enc2xs doesn't seem to support
that scenario consciously.

+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Blofeld:

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About