Skip Menu |

This queue is for tickets about the STD CPAN distribution.

Report information
The Basics
Id: 132275
Status: new
Priority: 0/
Queue: STD
People
Owner: Nobody in particular
Requestors: ppisar [...] redhat.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: 20101111
Fixed in: (no value)

History Show all quoted text
  Tue Mar 31 11:02:25 2020 ppisar [...] redhat.com - Ticket created
Subject: YAML-LibYAML 0.81 disabled $YAML::XS::LoadBlessed breaking STD
After upgrading YAML-LibYAML from 0.80 to 0.81, Syntax-Highlight-Perl6-0.88 test fails like this: t/00-compile.t ............. ok given is experimental at /usr/share/perl5/STD.pm line 28038. [...] Can't call method "nfa" on unblessed reference at /usr/share/perl5/CursorBase.pm line 2388. # Looks like your test exited with 255 before it could output anything. t/00-std.t ................. Dubious, test returned 255 (wstat 65280, 0xff00) Failed 2/2 subtests CursorBase.pm belongs to STD-20101111. It seems that STD relies on deserializing AST trees from YAML documents and the YAML-LibYAML that effectively stopped blessing references into objects broke STD. I recommend setting $YAML::XS::LoadBlessed=1 in STD to fix it. It seems that STD calls YAML::XS::Load() on constant here-documents only, so security should not suffer.
  Tue Mar 31 11:44:54 2020 ppisar [...] redhat.com - Correspondence added
Dne Út 31.bře.2020 11:02:25, ppisar napsal(a): Show quoted text
> I recommend setting $YAML::XS::LoadBlessed=1 in STD to fix it. It > seems that STD calls YAML::XS::Load() on constant here-documents only, > so security should not suffer.
An attached patch fixes it.
Subject: STD-20101111-Enable-loading-objects-from-YAML-documents.patch
From ef346a29b134e745218fe5c9e27a8697d53ec8f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Tue, 31 Mar 2020 17:36:55 +0200 Subject: [PATCH] Enable loading objects from YAML documents MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit YAML-LibYAML-0.81 disabled $YAML::XS::LoadBlessed by default and that broke STD that relies on deserializing AST objects from YAML documents. This patch reenables it. STD library seems to load only its own documents so it does not possess a security issue. The viv tools is somewhat questionable. CPAN RT#132275 Signed-off-by: Petr Písař <ppisar@redhat.com> --- bin/viv | 1 + lib/STD.pm | 1 + lib/STD_P5.pm | 1 + 3 files changed, 3 insertions(+) diff --git a/bin/viv b/bin/viv index d13fb67..8dd8717 100644 --- a/bin/viv +++ b/bin/viv @@ -44,6 +44,7 @@ use YAML::XS; # An attempt to replace this with YAML::Syck passed the # disjoint sets of descending numbers. Also, empty # sequences shown as [] became followed by an empty line. # See also: YAML::Syck in package VAST::package_def below. +$YAML::XS::LoadBlessed = 1; use Encode; use Scalar::Util 'blessed', 'refaddr'; use Storable; diff --git a/lib/STD.pm b/lib/STD.pm index 1ae16c2..00b503e 100644 --- a/lib/STD.pm +++ b/lib/STD.pm @@ -27,6 +27,7 @@ my $retree; $DB::deep = $DB::deep = 1000; # suppress used-once warning use YAML::XS; +$YAML::XS::LoadBlessed = 1; $SIG{__WARN__} = sub { die @_," statement started at line ", 'STD::Cursor'->lineof($::LASTSTATE), " " } if $::DEBUG; diff --git a/lib/STD_P5.pm b/lib/STD_P5.pm index 8828e5f..654bbfa 100644 --- a/lib/STD_P5.pm +++ b/lib/STD_P5.pm @@ -43,6 +43,7 @@ my $retree; $DB::deep = $DB::deep = 1000; # suppress used-once warning use YAML::XS; +$YAML::XS::LoadBlessed = 1; $SIG{__WARN__} = sub { die @_," statement started at line ", 'STD::Cursor'->lineof($::LASTSTATE), " " } if $::DEBUG; -- 2.21.1