diff options
author | Carlos Lima <carlos@multi> | 2012-12-07 01:08:23 +0800 |
---|---|---|
committer | Jesse Luehrs <doy@tozt.net> | 2013-01-03 21:33:06 -0600 |
commit | bcc7f413d40988759ea3ee73f9beb52b299cf1bb (patch) | |
tree | d564006d4f45e315224ada54dd8c4d0b13f53060 | |
parent | f4e53d90c9bf2c9d26e8155b5f9221cdb8fcb9a7 (diff) | |
download | package-stash-bcc7f413d40988759ea3ee73f9beb52b299cf1bb.tar.gz package-stash-bcc7f413d40988759ea3ee73f9beb52b299cf1bb.zip |
Fixes bug RT-78272
https://rt.cpan.org/Public/Bug/Display.html?id=78272
Just copied UNIVERSAL::require's solution to the same problem.
I didn't just use it as to not add any non-test dependency.
-rw-r--r-- | lib/Package/Stash.pm | 4 | ||||
-rw-r--r-- | t/bug-rt-78272.t | 33 |
2 files changed, 36 insertions, 1 deletions
diff --git a/lib/Package/Stash.pm b/lib/Package/Stash.pm index 605e97b..08a5e13 100644 --- a/lib/Package/Stash.pm +++ b/lib/Package/Stash.pm @@ -12,7 +12,9 @@ BEGIN { my $err; if ($IMPLEMENTATION) { - if (!eval "require Package::Stash::$IMPLEMENTATION; 1") { + my $file = "Package::Stash::$IMPLEMENTATION.pm"; + $file =~ s{::}{/}g; + if (!eval 'require($file) ; 1') { require Carp; Carp::croak("Could not load Package::Stash::$IMPLEMENTATION: $@"); } diff --git a/t/bug-rt-78272.t b/t/bug-rt-78272.t new file mode 100644 index 0000000..670782b --- /dev/null +++ b/t/bug-rt-78272.t @@ -0,0 +1,33 @@ +use strict; +use warnings; +use Test::More tests => 1; +use Test::Exception; + +subtest 'Bug RT-78272: Arbitrary code execution from $ENV' => sub { + + # https://rt.cpan.org/Public/Bug/Display.html?id=78272 + my $e = $ENV{PACKAGE_STASH_IMPLEMENTATION} = "PP; exit 1"; + throws_ok { + require Package::Stash; + } + qr/^Could not load Package::Stash::$e/, + 'Arbitrary code in $ENV throws exception'; + + throws_ok { + delete $INC{'Package/Stash.pm'}; + require Package::Stash; + } + qr/^Could not load Package::Stash::$e/, + 'Sanity check: forcing package reload throws the exception again'; + + lives_ok { + $ENV{PACKAGE_STASH_IMPLEMENTATION} = "PP"; + delete $INC{'Package/Stash.pm'}; + require Package::Stash; + new_ok( + 'Package::Stash' => ['Foo'], + 'Loaded and able to create instances' + ); + } + 'Valid $ENV value loads correctly'; +}; |