From bcc7f413d40988759ea3ee73f9beb52b299cf1bb Mon Sep 17 00:00:00 2001 From: Carlos Lima Date: Fri, 7 Dec 2012 01:08:23 +0800 Subject: Fixes bug RT-78272 https://rt.cpan.org/Public/Bug/Display.html?id=78272 Just copied UNIVERSAL::require's solution to the same problem. I didn't just use it as to not add any non-test dependency. --- lib/Package/Stash.pm | 4 +++- t/bug-rt-78272.t | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 t/bug-rt-78272.t diff --git a/lib/Package/Stash.pm b/lib/Package/Stash.pm index 605e97b..08a5e13 100644 --- a/lib/Package/Stash.pm +++ b/lib/Package/Stash.pm @@ -12,7 +12,9 @@ BEGIN { my $err; if ($IMPLEMENTATION) { - if (!eval "require Package::Stash::$IMPLEMENTATION; 1") { + my $file = "Package::Stash::$IMPLEMENTATION.pm"; + $file =~ s{::}{/}g; + if (!eval 'require($file) ; 1') { require Carp; Carp::croak("Could not load Package::Stash::$IMPLEMENTATION: $@"); } diff --git a/t/bug-rt-78272.t b/t/bug-rt-78272.t new file mode 100644 index 0000000..670782b --- /dev/null +++ b/t/bug-rt-78272.t @@ -0,0 +1,33 @@ +use strict; +use warnings; +use Test::More tests => 1; +use Test::Exception; + +subtest 'Bug RT-78272: Arbitrary code execution from $ENV' => sub { + + # https://rt.cpan.org/Public/Bug/Display.html?id=78272 + my $e = $ENV{PACKAGE_STASH_IMPLEMENTATION} = "PP; exit 1"; + throws_ok { + require Package::Stash; + } + qr/^Could not load Package::Stash::$e/, + 'Arbitrary code in $ENV throws exception'; + + throws_ok { + delete $INC{'Package/Stash.pm'}; + require Package::Stash; + } + qr/^Could not load Package::Stash::$e/, + 'Sanity check: forcing package reload throws the exception again'; + + lives_ok { + $ENV{PACKAGE_STASH_IMPLEMENTATION} = "PP"; + delete $INC{'Package/Stash.pm'}; + require Package::Stash; + new_ok( + 'Package::Stash' => ['Foo'], + 'Loaded and able to create instances' + ); + } + 'Valid $ENV value loads correctly'; +}; -- cgit v1.2.3-54-g00ecf