Front page | perl.perl5.porters |
Postings from August 2021
On Sat, Aug 14, 2021 at 4:15 AM Achim Gratz <Stromeko@nexgo.de> wrote:
> "Ricardo Signes" writes:
> > I have attached a fix for a bug in Encode, registered as
> > CVE-2021-36770. This bug replaces the contents of @INC with a
> > predictable integer, which is treated as a directory relative to the
> > current working directory, long enough to execute one "require".
>
> I've decided to put a different fix in Cygwin's Perl:
>
> --8<---------------cut here---------------start------------->8---
> --- origsrc/perl-5.32.1/cpan/Encode/Encode.pm
> +++ src/perl-5.32.1/cpan/Encode/Encode.pm
> @@ -65,8 +65,7 @@
> eval {
> local $SIG{__DIE__};
> local $SIG{__WARN__};
> - local @INC = @INC || ();
> - pop @INC if $INC[-1] eq '.';
> + local @INC = ( substr( $INC{"Encode.pm"}, 0, -length( "/Encode.pm" ))
> ); # where enc2xs would have installed it
> require Encode::ConfigLocal;
> };
>
>
> --8<---------------cut here---------------end--------------->8---
>
A less fragile version of this would be:
require File::Basename;
local @INC = File::Basename::dirname($INC{'Encode.pm'});
-Dan
Thread Previous
|
Thread Next