Skip Menu |

This queue is for tickets about the NgxQueue CPAN distribution.

Report information
The Basics
Id: 116200
Status: new
Priority: 0/
Queue: NgxQueue
People
Owner: Nobody in particular
Requestors: 'spro^^*%*^6ut# [...] &$%*c
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Sat Jul 16 03:32:05 2016 $_ = 'spro^^*%*^6ut# [...] &$%*c>#!^!#&!pan.org'; y/a-z.@//cd; print - Ticket created
Subject: Security vulnerability
XSLoader 0.21 and earlier have a bug in them that allows paths outside of @INC to be checked for code to load if the calling code’s file (as returned by caller()) is something not in @INC. Since a string eval has ‘(eval 1)’ or similar for its ’file name’, this code in NgxQueue is vulnerable: eval qq{ require XSLoader; XSLoader::load __PACKAGE__, $VERSION; }; There is actually no need for the string eval. Removing the ‘qq’ after ‘eval’ will close the security hole. Alternatively, you might want to make this module depend on XSLoader version 0.22.