don't allow require STR within string eval to inject arbitrary code

author: Jesse Luehrs <doy@tozt.net> 2012-01-04 19:01:20 -0600
committer: Jesse Luehrs <doy@tozt.net> 2012-01-04 19:04:18 -0600
commit: f2d84d37c3c9007904ac6f61755a1174d4a86311 (patch)
tree: 899bb800d17d8c0b33cba5a311aecf32a0019560 /t
parent: 38311155f8bfb2ee335d4ac122ad148c83ea252e (diff)
download: circular-require-f2d84d37c3c9007904ac6f61755a1174d4a86311.tar.gz
circular-require-f2d84d37c3c9007904ac6f61755a1174d4a86311.zip
2 files changed, 19 insertions, 0 deletions
diff --git a/t/injection.t b/t/injection.t
new file mode 100644
index 0000000..5e33406
--- /dev/null
+++ b/t/injection.t
@@ -0,0 +1,17 @@
+#!/usr/bin/env perl
+use strict;
+use warnings;
+use Test::More;
+use lib 't/injection';
+
+no circular::require;
+
+eval "require('Foo; die q[bar]'); 1";
+like($@, qr/Can't locate Foo; die q\[bar\] in \@INC/,
+     "can't inject extra code via require");
+
+eval 'require(q[Foo$bar])';
+like($@, qr/Can't locate Foo\$bar in \@INC/,
+     "can't inject extra code via require");
+
+done_testing;
diff --git a/t/injection/Foo.pm b/t/injection/Foo.pm
new file mode 100644
index 0000000..336f337
--- /dev/null
+++ b/t/injection/Foo.pm
@@ -0,0 +1,2 @@
+package Foo;
+1;
author	Jesse Luehrs <doy@tozt.net>	2012-01-04 19:01:20 -0600
committer	Jesse Luehrs <doy@tozt.net>	2012-01-04 19:04:18 -0600
commit	f2d84d37c3c9007904ac6f61755a1174d4a86311 (patch)
tree	899bb800d17d8c0b33cba5a311aecf32a0019560 /t
parent	38311155f8bfb2ee335d4ac122ad148c83ea252e (diff)
download	circular-require-f2d84d37c3c9007904ac6f61755a1174d4a86311.tar.gz circular-require-f2d84d37c3c9007904ac6f61755a1174d4a86311.zip