| Subject: | ambiguity between module and file names in TIEHASH |
| Date: | Thu, 11 Feb 2010 00:42:58 +0100 |
| To: | bugs-Graphics-ColorNames [...] rt.cpan.org |
| From: | Claus Färber <CFAERBER [...] cpan.org> |
Hi!
The but reported against Color::Calc seems to be a bug/design error in Graphics::ColorNames: It there's a file named 'X' in current directory, the scheme name 'X' becomes ambiguous: It can both refer to a scheme from file 'X' and to the scheme defined in Graphics::ColorNames::X. (The same is obviously true for other schemes such as 'HTML').
The result is that any application using Graphics::ColorNames and might suddenly behave in unexpected ways. In some applications, this might even introduce HTML injection problems: If the current directory is untrusted, the color names and values are under control of an untrusted source and might be used for HTML/code injection attacks.
I'm not sure how that could be fixed:
If module names just took precedence over filenames (ie if the order is reversed in sub TIEHASH), the ambiguity is not really solved: If, say, 'Graphics::ColorNames::FancyScheme' is not installed, the file './FancyScheme' (or './Graphics::ColorNames::FancyScheme') might still be read. Further, it might break existing apps.
The best way IMO is to create a new interface that clearly separates the namespaces for files and modules.
Claus
PS: The patch for Color::Calc, which just omits the scheme name, actually works because 'X' is the default in Graphics::ColorNames.
Anfang der weitergeleiteten E-Mail:
Show quoted text
> Von: sunnavy <sunnavy@****.com>
> Datum: 2010-02-09 14:27:54 MEZ
> An: CFAERBER@cpan.org
> Betreff: maybe a bug of Color::Calc?
>
> Hi Claus
>
> I encountered an interesting situation when I try to "use Color::Calc" today,
> if I have an *not* empty file named "X" in current work directory, then
> perl get died with a msg like this:
> substr outside of string at /opt/perl-5.10.1/lib/site_perl/5.10.1/Graphics/ColorNames.pm line 313, <GEN0> line 1.
> Missing color name at lib/Color/Calc.pm line 76
>
> After a while's tracing, I found the problem is in the tie statement in new
> method:
> tie %ColorNames, 'Graphics::ColorNames', ($self->{'ColorScheme'} || 'X');
> this will cause Graphics::ColorNames to read the "X" file if $self->{ColorScheme}
> is false, the fix is easy: just don't set "X" explicitly :P, patch is attached.
>
> best wishes
> sunnavy
Message body is not shown because sender requested not to inline it.
Show quoted text
>