diff options
author | Jesse Luehrs <doy@tozt.net> | 2012-01-04 19:01:20 -0600 |
---|---|---|
committer | Jesse Luehrs <doy@tozt.net> | 2012-01-04 19:04:18 -0600 |
commit | f2d84d37c3c9007904ac6f61755a1174d4a86311 (patch) | |
tree | 899bb800d17d8c0b33cba5a311aecf32a0019560 /t | |
parent | 38311155f8bfb2ee335d4ac122ad148c83ea252e (diff) | |
download | circular-require-f2d84d37c3c9007904ac6f61755a1174d4a86311.tar.gz circular-require-f2d84d37c3c9007904ac6f61755a1174d4a86311.zip |
don't allow require STR within string eval to inject arbitrary code
Diffstat (limited to 't')
-rw-r--r-- | t/injection.t | 17 | ||||
-rw-r--r-- | t/injection/Foo.pm | 2 |
2 files changed, 19 insertions, 0 deletions
diff --git a/t/injection.t b/t/injection.t new file mode 100644 index 0000000..5e33406 --- /dev/null +++ b/t/injection.t @@ -0,0 +1,17 @@ +#!/usr/bin/env perl +use strict; +use warnings; +use Test::More; +use lib 't/injection'; + +no circular::require; + +eval "require('Foo; die q[bar]'); 1"; +like($@, qr/Can't locate Foo; die q\[bar\] in \@INC/, + "can't inject extra code via require"); + +eval 'require(q[Foo$bar])'; +like($@, qr/Can't locate Foo\$bar in \@INC/, + "can't inject extra code via require"); + +done_testing; diff --git a/t/injection/Foo.pm b/t/injection/Foo.pm new file mode 100644 index 0000000..336f337 --- /dev/null +++ b/t/injection/Foo.pm @@ -0,0 +1,2 @@ +package Foo; +1; |