Skip Menu |

This queue is for tickets about the Module-Load CPAN distribution.

Report information
The Basics
Id: 71442
Status: resolved
Worked: 5 min
Priority: 0/
Queue: Module-Load
People
Owner: BINGOS [...] cpan.org
Requestors: rurban [...] x-ray.at
Cc: ether [...] cpan.org
AdminCc:
Bug Information
Severity: Critical
Broken in: 0.20
Fixed in: (no value)
Attachments
Module-Load-0.20-sec.patch

History Show all quoted text
  Tue Oct 04 10:06:10 2011 rurban [...] x-ray.at - Ticket created
Subject: Security [PATCH]: Do not allow absolute paths or step paths upwards
See http://blogs.perl.org/users/michael_g_schwern/2011/10/how-not-to-load-a-module-or- bad-interfaces-make-good-people-do-bad-things.html
Subject: Module-Load-0.20-sec.patch
diff -bu Module-Load-0.20//lib/Module/Load.pm~ Module-Load-0.20//lib/Module/Load.pm --- Module-Load-0.20//lib/Module/Load.pm~ 2011-10-04 08:53:44.000000000 -0500 +++ Module-Load-0.20//lib/Module/Load.pm 2011-10-04 09:02:52.000000000 -0500 @@ -18,6 +18,12 @@ my $who = _who(); if( _is_file( $mod ) ) { + # explicitly protect against "/" at the beginning or "/.." in the middle of the string, + # otherwise you can execute any file in e.g. /tmp + # see http://blogs.perl.org/users/michael_g_schwern/2011/10/how-not-to-load-a-module-or-bad-interfaces-make-good-people-do-bad-things.html + # do execute such files the user must use C<do $path> + die "absolute path to Module::Load::load forbidden" if $mod =~ m|^(?:"')?/|; + die "../ in Module::Load::load paths forbidden" if $mod =~ m|\.\.[/\\]|; require $mod; } else { LOAD: { @@ -146,6 +152,12 @@ fails, we will try to find C<file> in @INC. If both fail, we die with the respective error messages. +=item * + +If the argument is file, and the file is either an absolute path or steps the path upwards, +we die. See http://blogs.perl.org/users/michael_g_schwern/2011/10/how-not-to-load-a-module-or-bad-interfaces-make-good-people-do-bad-things.html +Do execute such files the user must use C<do $path> + =back =head1 Caveats
  Tue Oct 04 12:34:11 2011 dagolden [...] cpan.org - Correspondence added
Subject: Re: [rt.cpan.org #71442] Security [PATCH]: Do not allow absolute paths or step paths upwards
Date: Tue, 4 Oct 2011 12:33:41 -0400
To: bug-Module-Load [...] rt.cpan.org
From: David Golden <dagolden [...] cpan.org>
On Tue, Oct 4, 2011 at 10:06 AM, Reini Urban via RT <bug-Module-Load@rt.cpan.org> wrote: Show quoted text
> See http://blogs.perl.org/users/michael_g_schwern/2011/10/how-not-to-load-a-module-or- > bad-interfaces-make-good-people-do-bad-things.html
I don't see the point. It's not the job of this module to protect the use from arbitrary malicious input. The job of the module is to load files and modules. If a user *wants* to load a file via a relative path or an absolute path, why not let them? -- David
  Tue Oct 04 12:34:12 2011 The RT System itself - Status changed from 'new' to 'open'
  Tue Oct 04 16:17:19 2011 chris [...] bingosnet.co.uk - Correspondence added
Subject: Re: [rt.cpan.org #71442] Security [PATCH]: Do not allow absolute paths or step paths upwards
Date: Tue, 4 Oct 2011 21:17:07 +0100
To: David Golden via RT <bug-Module-Load [...] rt.cpan.org>
From: "Chris 'BinGOs' Williams" <chris [...] bingosnet.co.uk>
On Tue, Oct 04, 2011 at 12:34:12PM -0400, David Golden via RT wrote: Show quoted text
> Queue: Module-Load > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=71442 > > > On Tue, Oct 4, 2011 at 10:06 AM, Reini Urban via RT > <bug-Module-Load@rt.cpan.org> wrote:
> > See http://blogs.perl.org/users/michael_g_schwern/2011/10/how-not-to-load-a-module-or- > > bad-interfaces-make-good-people-do-bad-things.html
> > I don't see the point. It's not the job of this module to protect the > use from arbitrary malicious input. The job of the module is to load > files and modules. If a user *wants* to load a file via a relative > path or an absolute path, why not let them? >
I've had more time to examine the changes and I concur with David. What I can fix is the problem with something like: my $foo = '::tmp::PWNED'; load $foo; Currently this will resolve to '/tmp/PWNED.pm', which is what I presume Schwern meant by 'hopping' out of @INC. $ perl -MModule::Load -E 'say Module::Load::_to_file(shift,1);' '::tmp::PWNED' /tmp/PWNED.pm I have fixed this now and will be doing a release. Many thanks, -- Chris Williams aka BinGOs PGP ID 0x4658671F http://www.gumbynet.org.uk ==========================
Download (untitled)
application/pgp-signature 189b

Message body not shown because it is not plain text.

  Tue Oct 04 16:30:41 2011 rurban [...] x-ray.at - Correspondence added
Subject: Re: [rt.cpan.org #71442] Security [PATCH]: Do not allow absolute paths or step paths upwards
Date: Tue, 4 Oct 2011 15:30:27 -0500
To: bug-Module-Load [...] rt.cpan.org
From: Reini Urban <rurban [...] x-ray.at>
On Tue, Oct 4, 2011 at 3:17 PM, chris@bingosnet.co.uk via RT <bug-Module-Load@rt.cpan.org> wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=71442 > > > On Tue, Oct 04, 2011 at 12:34:12PM -0400, David Golden via RT wrote:
>>        Queue: Module-Load >>  Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=71442 > >> >> On Tue, Oct 4, 2011 at 10:06 AM, Reini Urban via RT >> <bug-Module-Load@rt.cpan.org> wrote:
>> > See http://blogs.perl.org/users/michael_g_schwern/2011/10/how-not-to-load-a-module-or- >> > bad-interfaces-make-good-people-do-bad-things.html
>> >> I don't see the point.  It's not the job of this module to protect the >> use from arbitrary malicious input.  The job of the module is to load >> files and modules.  If a user *wants* to load a file via a relative >> path or an absolute path, why not let them? >>
> > I've had more time to examine the changes and I concur with David. > > What I can fix is the problem with something like: > > my $foo = '::tmp::PWNED'; > load $foo; > > Currently this will resolve to '/tmp/PWNED.pm', which is what I presume Schwern > meant by 'hopping' out of @INC. > > $ perl -MModule::Load -E 'say Module::Load::_to_file(shift,1);' '::tmp::PWNED' > /tmp/PWNED.pm > > I have fixed this now and will be doing a release.
Zefram checked the core parser and is proposing either using Module::Runtime::is_valid_module_name() or use the regex from there: qr/[A-Z_a-z][0-9A-Z_a-z]*(?:::[0-9A-Z_a-z]+)*/ That's far more forbidding than the current checks and my checks. That's what core require bareword is checking. -- Reini Urban http://cpanel.net/   http://www.perl-compiler.org/
  Wed Oct 05 20:42:16 2011 ether [...] cpan.org - Cc ETHER added
  Thu Feb 09 03:17:46 2012 ribasushi [...] leporine.io - Correspondence added
On Tue Oct 04 16:30:41 2011, rurban@x-ray.at wrote: Show quoted text
> On Tue, Oct 4, 2011 at 3:17 PM, chris@bingosnet.co.uk via RT > <bug-Module-Load@rt.cpan.org> wrote:
> > <URL: https://rt.cpan.org/Ticket/Display.html?id=71442 > > > > > On Tue, Oct 04, 2011 at 12:34:12PM -0400, David Golden via RT wrote:
> >>        Queue: Module-Load > >>  Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=71442 > > >> > >> On Tue, Oct 4, 2011 at 10:06 AM, Reini Urban via RT > >> <bug-Module-Load@rt.cpan.org> wrote:
> >> > See http://blogs.perl.org/users/michael_g_schwern/2011/10/how-
> not-to-load-a-module-or-
> >> > bad-interfaces-make-good-people-do-bad-things.html
> >> > >> I don't see the point.  It's not the job of this module to protect
> the
> >> use from arbitrary malicious input.  The job of the module is to
> load
> >> files and modules.  If a user *wants* to load a file via a relative > >> path or an absolute path, why not let them? > >>
> > > > I've had more time to examine the changes and I concur with David. > > > > What I can fix is the problem with something like: > > > > my $foo = '::tmp::PWNED'; > > load $foo; > > > > Currently this will resolve to '/tmp/PWNED.pm', which is what I
> presume Schwern
> > meant by 'hopping' out of @INC. > > > > $ perl -MModule::Load -E 'say Module::Load::_to_file(shift,1);'
> '::tmp::PWNED'
> > /tmp/PWNED.pm > > > > I have fixed this now and will be doing a release.
> > Zefram checked the core parser and is proposing either using > Module::Runtime::is_valid_module_name() > or use the regex from there: > qr/[A-Z_a-z][0-9A-Z_a-z]*(?:::[0-9A-Z_a-z]+)*/ > > That's far more forbidding than the current checks and my checks. > That's what core require bareword is checking.
Why not simply use Module::Runtime and have a single place for all these gory details?
  Sun Sep 16 06:41:09 2012 BINGOS [...] cpan.org - Correspondence added 5 min
Marking as resolved. Changes for 0.22 Tue Oct 4 21:44:32 2011 ============================================ * Resolve possible security problem [http://goo.gl/YzHRU] where a '::' prefixed module can 'jump' out of @INC Many thanks.
  Sun Sep 16 06:41:10 2012 BINGOS [...] cpan.org - Status changed from 'open' to 'resolved'
  Sun Sep 16 06:41:10 2012 BINGOS [...] cpan.org - Given to BINGOS
  Thu Jul 16 13:10:44 2015 dolmen [...] cpan.org - Reference by ticket #83091 added