| Subject: | Wrong secret causes perl error |
If the deserialize(...) function is called and an incorrect secret is
provided or if the data to be deserialized is corrupted, perl sometimes
exits with an error, or garbage is passed to the actual deserializer
which may also cause perl to exit.
The actual problem is with:
($old_digest) = $input =~ /^([^=]+?)=/;
and
$input =~ s/^$old_digest=//;
To be more specific, when either the secret is wrong, or the data is
corrupted, $input may contain things like "[" followed by any amount of
chars, then a "=". In such a case and others, $old_digest will be
assigned an invalid string for use in "s/^$old_digest=//", and this will
cause perl to exit with an error.
This patch corrects this problem:
--- Serializer.pm.old Thu Apr 16 07:39:39 2009
+++ Serializer.pm Mon Nov 22 23:32:02 2010
@@ -654,9 +654,9 @@
my $input = (shift);
my $digester = (shift);
$self->_module_loader('Digest');
- my ($old_digest) = $input =~ /^([^=]+?)=/;
+ $input =~ s/^([^=]+?)=//;
+ my $old_digest = $1;
return undef unless (defined $old_digest);
- $input =~ s/^$old_digest=//;
my $new_digest = $self->_get_digest($input,$digester);
return undef unless ($new_digest eq $old_digest);
return $input;
-Neil-