| Subject: | ToMan.pm doesn't quote filename in system command |
Running perl 5.8.6 (via the Fink distribution) on Mac OS X 10.3.7. Pod::Perldoc version 3.13 installed.
In Pod::Perldoc::ToMan.pm, line 63:
my $command = "$pod2man $switches --lax $file | $render -man";
If $file contains special shell characters (spaces for example), then $command will not do the right thing when executed. Eg:
vasi$ perldoc "/Users/vasi/Library/Application Support/Glues/Terminal.pod"
Can't open /Users/vasi/Library/Application for reading: No such file or directory
at /usr/bin/pod2man line 60
Got a 0-length file from /Users/vasi/Library/Application Support/Glues/Terminal.pod via Pod::Perldoc::ToMan!?
This has potential security implications,. If a user can create a file in a known locate, and can pass an argument to perldoc (eg: via mod_perl), they can execute arbitrary commands. Eg: perldoc '; rm -rf /; .pm'
An easy fix is to change the offending line to quote the filename:
my $command = "$pod2man $switches --lax \Q$file\E | $render -man";
The other embedded variables in the command may also require quoting to ensure that perldoc operates correctly in all circumstances.