diff options
| -rw-r--r-- | lib/Package/Stash.pm | 4 | ||||
| -rw-r--r-- | t/bug-rt-78272.t | 33 |
2 files changed, 36 insertions, 1 deletions
diff --git a/lib/Package/Stash.pm b/lib/Package/Stash.pm index 605e97b..08a5e13 100644 --- a/lib/Package/Stash.pm +++ b/lib/Package/Stash.pm @@ -12,7 +12,9 @@ BEGIN { my $err; if ($IMPLEMENTATION) { - if (!eval "require Package::Stash::$IMPLEMENTATION; 1") { + my $file = "Package::Stash::$IMPLEMENTATION.pm"; + $file =~ s{::}{/}g; + if (!eval 'require($file) ; 1') { require Carp; Carp::croak("Could not load Package::Stash::$IMPLEMENTATION: $@"); } diff --git a/t/bug-rt-78272.t b/t/bug-rt-78272.t new file mode 100644 index 0000000..670782b --- /dev/null +++ b/t/bug-rt-78272.t @@ -0,0 +1,33 @@ +use strict; +use warnings; +use Test::More tests => 1; +use Test::Exception; + +subtest 'Bug RT-78272: Arbitrary code execution from $ENV' => sub { + + # https://rt.cpan.org/Public/Bug/Display.html?id=78272 + my $e = $ENV{PACKAGE_STASH_IMPLEMENTATION} = "PP; exit 1"; + throws_ok { + require Package::Stash; + } + qr/^Could not load Package::Stash::$e/, + 'Arbitrary code in $ENV throws exception'; + + throws_ok { + delete $INC{'Package/Stash.pm'}; + require Package::Stash; + } + qr/^Could not load Package::Stash::$e/, + 'Sanity check: forcing package reload throws the exception again'; + + lives_ok { + $ENV{PACKAGE_STASH_IMPLEMENTATION} = "PP"; + delete $INC{'Package/Stash.pm'}; + require Package::Stash; + new_ok( + 'Package::Stash' => ['Foo'], + 'Loaded and able to create instances' + ); + } + 'Valid $ENV value loads correctly'; +}; |