Front page | perl.perl5.porters |
Postings from August 2021
On Sat, Aug 14, 2021 at 7:21 PM Dan Book <grinnz@gmail.com> wrote:
> On Sat, Aug 14, 2021 at 1:18 PM Dan Book <grinnz@gmail.com> wrote:
>
>> On Sat, Aug 14, 2021 at 4:15 AM Achim Gratz <Stromeko@nexgo.de> wrote:
>>
>>> "Ricardo Signes" writes:
>>> > I have attached a fix for a bug in Encode, registered as
>>> > CVE-2021-36770. This bug replaces the contents of @INC with a
>>> > predictable integer, which is treated as a directory relative to the
>>> > current working directory, long enough to execute one "require".
>>>
>>> I've decided to put a different fix in Cygwin's Perl:
>>>
>>> --8<---------------cut here---------------start------------->8---
>>> --- origsrc/perl-5.32.1/cpan/Encode/Encode.pm
>>> +++ src/perl-5.32.1/cpan/Encode/Encode.pm
>>> @@ -65,8 +65,7 @@
>>> eval {
>>> local $SIG{__DIE__};
>>> local $SIG{__WARN__};
>>> - local @INC = @INC || ();
>>> - pop @INC if $INC[-1] eq '.';
>>> + local @INC = ( substr( $INC{"Encode.pm"}, 0, -length( "/Encode.pm"
>>> )) ); # where enc2xs would have installed it
>>> require Encode::ConfigLocal;
>>> };
>>>
>>>
>>> --8<---------------cut here---------------end--------------->8---
>>>
>>
>> A less fragile version of this would be:
>>
>> require File::Basename;
>> local @INC = File::Basename::dirname($INC{'Encode.pm'});
>>
>
> And probably should be using __FILE__ instead of the %INC entry since this
> *is* Encode.pm.
>
If you really want to go that way, you might as well give require the
actual path
Leon
Thread Previous
|
Thread Next