develooper Front page | perl.perl5.porters | Postings from August 2021

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC

Thread Previous | Thread Next
From:
Dan Book
Date:
August 10, 2021 06:40
Subject:
Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC
Message ID:
CABMkAVUaw37SmU62+Js2j+vKrmw5ubKg6xmKTuizsRsm7WykZQ@mail.gmail.com
On Tue, Aug 10, 2021 at 1:25 AM ASSI <Stromeko@nexgo.de> wrote:

> Dan Book writes:
> > It's quite different to account for the default behavior of Perl up
> > until 5.26, than to account for anyone's modification of @INC which
> > may have a good reason (and if you want to protect against that, you
> > must remove any relative path from @INC, not just '.').
>
> The attack vector doesn't depend on the path being relative.
>

What do you mean by this? This is the entire reason that the current
working directory in @INC is a vulnerability. Other relative paths are also
treated as relative to the current working directory.

-Dan

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About