Subject: | Possible security risk w/ arbitrary code execution from $ENV |
Seems like the sort of thing that could be easily resolved in a sane fashion.
export PACKAGE_STASH_IMPLEMENTATION="PP; print qq{hurr\n}; exit 1 "
and then any code that does "use Package::Stash" will execute the arbitrary code specified in $ENV and terminate.
export PACKAGE_STASH_IMPLEMENTATION="PP; print qq{hurr\n}; exit 1 "
and then any code that does "use Package::Stash" will execute the arbitrary code specified in $ENV and terminate.
https://metacpan.org/source/DOY/Package-Stash-0.33/lib/Package/Stash.pm#L17
I think its safer to validate the value "Package::Stash::$IMPLEMENTATION" against a known-safe package regexp, or use Module::Runtime to load the module seem like "Sane" approaches.