don't allow require STR within string eval to inject arbitrary code

author: Jesse Luehrs <doy@tozt.net> 2012-01-04 19:01:20 -0600
committer: Jesse Luehrs <doy@tozt.net> 2012-01-04 19:04:18 -0600
commit: f2d84d37c3c9007904ac6f61755a1174d4a86311 (patch)
tree: 899bb800d17d8c0b33cba5a311aecf32a0019560 /lib/circular
parent: 38311155f8bfb2ee335d4ac122ad148c83ea252e (diff)
download: circular-require-f2d84d37c3c9007904ac6f61755a1174d4a86311.tar.gz
circular-require-f2d84d37c3c9007904ac6f61755a1174d4a86311.zip
1 files changed, 3 insertions, 9 deletions
diff --git a/lib/circular/require.pm b/lib/circular/require.pm
index 3c65846..5cc4657 100644
--- a/lib/circular/require.pm
+++ b/lib/circular/require.pm
@@ -80,10 +80,11 @@ sub _require {
     # but we're not in an eval anymore
     # fake it up so that this looks the same
     if (defined((caller(1))[6])) {
-        my $mod = _pm2mod($file);
+        require B;
+        my $str = B::perlstring($file);
         $ret = $saved_require_hook
             ? $saved_require_hook->($file)
-            : (eval "CORE::require $mod" || die $@);
+            : (eval "CORE::require($str)" || die $@);
     }
     else {
         $ret = $saved_require_hook
@@ -125,13 +126,6 @@ sub _mod2pm {
     return $mod;
 }
 
-sub _pm2mod {
-    my ($file) = @_;
-    $file =~ s+/+::+g;
-    $file =~ s+\.pm$++;
-    return $file;
-}
-
 =head1 CAVEATS
 
 This module works by overriding C<CORE::GLOBAL::require>, and so other modules
author	Jesse Luehrs <doy@tozt.net>	2012-01-04 19:01:20 -0600
committer	Jesse Luehrs <doy@tozt.net>	2012-01-04 19:04:18 -0600
commit	f2d84d37c3c9007904ac6f61755a1174d4a86311 (patch)
tree	899bb800d17d8c0b33cba5a311aecf32a0019560 /lib/circular
parent	38311155f8bfb2ee335d4ac122ad148c83ea252e (diff)
download	circular-require-f2d84d37c3c9007904ac6f61755a1174d4a86311.tar.gz circular-require-f2d84d37c3c9007904ac6f61755a1174d4a86311.zip