From f2d84d37c3c9007904ac6f61755a1174d4a86311 Mon Sep 17 00:00:00 2001 From: Jesse Luehrs Date: Wed, 4 Jan 2012 19:01:20 -0600 Subject: don't allow require STR within string eval to inject arbitrary code --- lib/circular/require.pm | 12 +++--------- t/injection.t | 17 +++++++++++++++++ t/injection/Foo.pm | 2 ++ 3 files changed, 22 insertions(+), 9 deletions(-) create mode 100644 t/injection.t create mode 100644 t/injection/Foo.pm diff --git a/lib/circular/require.pm b/lib/circular/require.pm index 3c65846..5cc4657 100644 --- a/lib/circular/require.pm +++ b/lib/circular/require.pm @@ -80,10 +80,11 @@ sub _require { # but we're not in an eval anymore # fake it up so that this looks the same if (defined((caller(1))[6])) { - my $mod = _pm2mod($file); + require B; + my $str = B::perlstring($file); $ret = $saved_require_hook ? $saved_require_hook->($file) - : (eval "CORE::require $mod" || die $@); + : (eval "CORE::require($str)" || die $@); } else { $ret = $saved_require_hook @@ -125,13 +126,6 @@ sub _mod2pm { return $mod; } -sub _pm2mod { - my ($file) = @_; - $file =~ s+/+::+g; - $file =~ s+\.pm$++; - return $file; -} - =head1 CAVEATS This module works by overriding C, and so other modules diff --git a/t/injection.t b/t/injection.t new file mode 100644 index 0000000..5e33406 --- /dev/null +++ b/t/injection.t @@ -0,0 +1,17 @@ +#!/usr/bin/env perl +use strict; +use warnings; +use Test::More; +use lib 't/injection'; + +no circular::require; + +eval "require('Foo; die q[bar]'); 1"; +like($@, qr/Can't locate Foo; die q\[bar\] in \@INC/, + "can't inject extra code via require"); + +eval 'require(q[Foo$bar])'; +like($@, qr/Can't locate Foo\$bar in \@INC/, + "can't inject extra code via require"); + +done_testing; diff --git a/t/injection/Foo.pm b/t/injection/Foo.pm new file mode 100644 index 0000000..336f337 --- /dev/null +++ b/t/injection/Foo.pm @@ -0,0 +1,2 @@ +package Foo; +1; -- cgit v1.2.3-54-g00ecf