Skip Menu |

This queue is for tickets about the XML-Parser CPAN distribution.

Report information
The Basics
Id: 130561
Status: resolved
Priority: 0/
Queue: XML-Parser

People
Owner: Nobody in particular
Requestors: TODDR [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: 2.44
Fixed in: (no value)



Subject: Security: parsefile function uses 2-argument open()
Moved here from https://github.com/chorny/XML-Parser/issues/8 guimard commented on Feb 25 Hi, a Debian user reported that XML-Parser is vulnerable: the XML::Parser::parsefile function uses 2-argument open(). As a consequence, users of this function can't use it to securely check files with untrusted names. (Unless the users sanitize the filenames themselves, which they don't, because AFAICT this behavior is not documented.) Proof of concept (duck is a Debian tool that uses XML::Parser): $ touch '; false .appdata; cowsay pwned >&2; kill $PPID |' $ duck sh: 1: ./: Permission denied Here a trivial patch: --- a/Expat/Expat.pm +++ b/Expat/Expat.pm @@ -86,7 +86,7 @@ } local(*ENC); - open(ENC, $file) or croak("Couldn't open encmap $file:\n$!\n"); + open(ENC, '<', $file) or croak("Couldn't open encmap $file:\n$!\n"); binmode(ENC); my $data; my $br = sysread(ENC, $data, -s $file); @@ -492,7 +492,7 @@ my $self = shift; croak "Parser has already been used" if $self->{_State_}; local(*FILE); - open(FILE, $_[0]) or croak "Couldn't open $_[0]:\n$!"; + open(FILE, '<', $_[0]) or croak "Couldn't open $_[0]:\n$!"; binmode(FILE); my $ret = $self->parse(*FILE); close(FILE); --- a/Parser.pm +++ b/Parser.pm @@ -216,7 +216,7 @@ my $self = shift; my $file = shift; local(*FILE); - open(FILE, $file) or croak "Couldn't open $file:\n$!"; + open(FILE, '<', $file) or croak "Couldn't open $file:\n$!"; binmode(FILE); my @ret; my $ret;
Ticket migrated to github as https://github.com/toddr/XML-Parser/issues/82