Skip Menu |

This queue is for tickets about the Module-Load CPAN distribution.

Report information
The Basics
Id: 106128
Status: new
Priority: 0/
Queue: Module-Load

People
Owner: Nobody in particular
Requestors: dolmen [...] cpan.org
Cc: ether [...] cpan.org
AdminCc:

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)



CC: ETHER [...] cpan.org
Subject: Document that Module::Load is vulnerable to path traversal attacks, by design
Module::Load::load is vulnerable to path traversal attacks, and this is by design (because load() can load both modules and arbitrary files) and can't be fixed.
About path traversal attacks: https://cwe.mitre.org/data/definitions/23.html
Module::Load is in perl core while Module::Runtime, and many programmers are using Module::Load instead of Module::Runtime for this reason, while they do not provide the same level of safety.

So it is important to document this by-design vulnerability in POD and recommend instead Module::Runtime when unsafe values may be given to Module::Load::load.


Related issues about loading modules dynamically:
https://github.com/Perl-Toolchain-Gang/Software-License/pull/35
https://github.com/simonwistow/Module-Pluggable/pull/6

-- 
Olivier Mengué - http://perlresume.org/DOLMEN - https://gratipay.com/dolmen/