Bug #81072 for Moo: Loading roles uses $

Fri Nov 09 07:52:43 2012 perl [...] toby.ink - Ticket created

Subject:

Loading roles uses $_ in a very fragile way.

The code Moo::Role uses to apply roles is this: sub apply_roles_to_package { my ($me, $to, @roles) = @_; $me->_inhale_if_moose($_) for @roles; $me->SUPER::apply_roles_to_package($to, @roles); } Within the for loop, global $_ is aliased to the individual roles in the @roles array. Now, _inhale_if_moose ultimately loads the role module if it's not already been loaded. The role module (and any other modules that are loaded by it) can alter $_ and thus alter the contents of the @roles array which then gets passed to SUPER::apply_roles_to_package! There is a minimal test case, plus a patch to fix Moo::Role attached. Role::Tiny may also be vulnerable, but I've not checked.

Subject:

moo-role-bug.tar.gz

Download moo-role-bug.tar.gz
application/x-gzip 701b

Message body not shown because it is not plain text.

Fri Nov 09 07:57:18 2012 perl [...] toby.ink - Correspondence added

Moo::_set_superclasses also seems vulnerable.

Fri Nov 09 07:57:19 2012 perl [...] toby.ink - Status changed from 'new' to 'open'

Mon Nov 12 04:44:29 2012 ilmari+cpan [...] ilmari.org - Correspondence added

This is now fixed in git master for Moo->_set_superclasses, Moo::Role- Show quoted text

>apply_roles_to_package and Moo::Role->create_class_with_roles

Mon Nov 12 04:44:30 2012 ilmari+cpan [...] ilmari.org - Status changed from 'open' to 'patched'

Fri Nov 16 06:24:24 2012 ilmari+cpan [...] ilmari.org - Correspondence added

Fixed in 1.000006, just uploaded to CPAN

Fri Nov 16 06:24:25 2012 The RT System itself - Status changed from 'patched' to 'open'

Fri Nov 16 06:24:25 2012 ilmari+cpan [...] ilmari.org - Status changed from 'open' to 'resolved'

Bug #81072 for Moo: Loading roles uses $_ in a very fragile way.