Skip Menu |

This queue is for tickets about the parent CPAN distribution.

Report information
The Basics
Id: 83091
Status: resolved
Priority: 0/
Queue: parent
People
Owner: Nobody in particular
Requestors: dolmen [...] cpan.org
rjbs [...] cpan.org
Cc: ether [...] cpan.org
AdminCc:
Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Feb 01 10:41:22 2013 rjbs [...] cpan.org - Ticket created
Subject: parent.pm use of "require EXPR" is somewhat busted
Given what parent.pm does, this is not a critical security issue (who is accepting arbitrary input to parent->input??), but it's still a problem: ~$ cat > Bogus.pm die "You are hosed." ~$ cd code ~/code$ perl -e 'use parent "../Bogus"' You are hosed. at ../Bogus.pm line 1. I have attached a patch, not for application, that proposes a first pass at a solution. -- rjbs
Subject: 0003-WIP-use-Module-Load-instead-of-broken-string-eval.patch
From bc05e62c1ab38831b2e8fdd232a0c9ca5d8bfcd0 Mon Sep 17 00:00:00 2001 From: Ricardo Signes <rjbs@cpan.org> Date: Fri, 1 Feb 2013 10:34:44 -0500 Subject: [PATCH 3/3] WIP: use Module::Load instead of broken string eval We should not use string eval to load classes, at least not without validating them first: ~$ cat > Bogus.pm die "You are hosed." ~$ cd code ~/code$ perl -e 'use parent "../Bogus"' You are hosed. at ../Bogus.pm line 1. We're not likely to be accepting untrusted input to "parent->import" but nonetheless, this is no good. We should use something well-tested, like Module::Load. Unfortunately, Module::Load does not handle ' as a package separator. This issue should be revisited. --- lib/parent.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/parent.pm b/lib/parent.pm index 6f3fe07..0503b72 100755 --- a/lib/parent.pm +++ b/lib/parent.pm @@ -28,10 +28,10 @@ sub import { } push @to_push, $name; - $name =~ s{::|'}{/}g; # dies if the file is not found - require "$name.pm" unless $arg{no_require}; + require Module::Load; + Module::Load::load($name) unless $arg{no_require}; $name->VERSION($arg{version}) if defined $arg{version}; } -- 1.8.1
  Fri Feb 01 13:05:50 2013 dagolden [...] cpan.org - Correspondence added
On Fri Feb 01 10:41:22 2013, RJBS wrote: Show quoted text
> I have attached a patch, not for application, that proposes a first > pass at a solution.
Won't work with Module::Load because it doesn't work with apostrophes. See cpan.rt.org #83093
  Fri Feb 01 13:05:51 2013 The RT System itself - Status changed from 'new' to 'open'
  Fri Feb 01 13:06:04 2013 dagolden [...] cpan.org - Reference to ticket #83093 added
  Fri Feb 01 13:07:12 2013 ether [...] cpan.org - Cc ETHER added
  Fri Feb 01 13:29:32 2013 rjbs [...] cpan.org - Correspondence added
On 2013-02-01 13:05:50, DAGOLDEN wrote: Show quoted text
> On Fri Feb 01 10:41:22 2013, RJBS wrote:
> > I have attached a patch, not for application, that proposes a first > > pass at a solution.
> > Won't work with Module::Load because it doesn't work with apostrophes. > > See cpan.rt.org #83093 >
I know, that's what it says in the patch's commit message! Anyway, BinGOs just uploaded Module::Load 0.24, which fixes this, due to your bug report! Yaaay! -- rjbs
  Wed Jan 14 08:29:15 2015 dolmen [...] cpan.org - Correspondence added
Le 2013-02-01 16:41:22, RJBS a écrit :
Show quoted text
> I have attached a patch, not for application, that proposes a first
> pass at a solution.

Is the solution really equivalent in case of a .pmc file exists?
I'm asking because the distribution has an explicit test about .pmc files: https://metacpan.org/source/CORION/parent-0.228/t/parent-pmc.t

-- 
Olivier Mengué - http://perlresume.org/DOLMEN - https://gratipay.com/dolmen/
  Wed May 27 09:05:43 2015 haarg [...] haarg.org - Correspondence added
Loading a .pmc file if it exists instead of the .pm is handled by perl internally. This happens for require "Foo/Bar.pm"; just like it does for require Foo::Bar;
  Thu Jul 16 12:49:59 2015 dolmen [...] cpan.org - Correspondence added
Le 2013-02-01 16:41:22, RJBS a écrit :
Show quoted text
>
> Given what parent.pm does, this is not a critical security issue (who
> is accepting arbitrary input
> to parent->input??), but it's still a problem:
>
> ~$ cat > Bogus.pm
> die "You are hosed."
> ~$ cd code
> ~/code$ perl -e 'use parent "../Bogus"'
> You are hosed. at ../Bogus.pm line 1.
>
> I have attached a patch, not for application, that proposes a first
> pass at a solution.

Module::Load is not a good solution (at least not enough) to this issue as it (0.32) allows to load any path starting with '.'. See https://metacpan.org/source/BINGOS/Module-Load-0.32/lib/Module/Load.pm#L131

Demonstration (using the attached patch which is just rjbs's intent rebased on git a7082f56ea98d9676514fe7a068691141a08da2b):

~$ cat > Bogus.pm
die "You are hosed."
~$ cd code
~/code$ perl -e 'use parent "../Bogus.pm"'
You are hosed. at ../Bogus.pm line 1.


-- 
Olivier Mengué - http://perlresume.org/DOLMEN - https://gratipay.com/dolmen/
Subject: RT83091-invalid-solution.patch
diff --git a/lib/parent.pm b/lib/parent.pm index f6e8cd4..2ff4c55 100644 --- a/lib/parent.pm +++ b/lib/parent.pm @@ -11,10 +11,8 @@ sub import { if ( @_ and $_[0] eq '-norequire' ) { shift @_; } else { - for ( my @filename = @_ ) { - s{::|'}{/}g; - require "$_.pm"; # dies if the file is not found - } + require Module::Load; + Module::Load::load($_) for @_; } {
  Thu Jul 16 12:59:41 2015 ether [...] cpan.org - Correspondence added
On 2015-07-16 09:49:59, DOLMEN wrote: Show quoted text
> Module::Load is not a good solution (at least not enough) to this > issue as it > (0.32) allows to load any path starting with '.'. See > https://metacpan.org/source/BINGOS/Module-Load- > 0.32/lib/Module/Load.pm#L131
Whoa, we really ought to fix this, given that Module::Load is dual-lifed (and it would be nice to be able to start using it in high-cpan-river distributions instead of Module::Runtime).
  Thu Jul 16 13:08:55 2015 dolmen [...] cpan.org - Correspondence added
Le 2015-07-16 18:59:41, ETHER a écrit :
Show quoted text
> On 2015-07-16 09:49:59, DOLMEN wrote:
>
> > Module::Load is not a good solution (at least not enough) to this
> > issue as it
> > (0.32) allows to load any path starting with '.'. See
> > https://metacpan.org/source/BINGOS/Module-Load-
> > 0.32/lib/Module/Load.pm#L131
>
> Whoa, we really ought to fix this, given that Module::Load is dual-
> lifed (and it would be nice to be able to start using it in high-cpan-
> river distributions instead of Module::Runtime).

Unfortunatelly I think that is a *feature* of Module::Load that can't be removed (and by the way this is the main reason why I don't want to ever use Module::Load in place of Module::Runtime).

-- 
Olivier Mengué - http://perlresume.org/DOLMEN - https://gratipay.com/dolmen/
  Thu Jul 16 13:10:21 2015 dolmen [...] cpan.org - Requestor DOLMEN added
  Thu Jul 16 13:10:44 2015 dolmen [...] cpan.org - Reference to ticket #71442 added
  Thu Dec 26 05:26:35 2019 corion [...] cpan.org - Correspondence added
While Module::Load is in core now, I don't see this as an issue to be fixed with parent.pm . If you are loading a superclass from arbitrary user input and things break, you get to keep all the parts. If somebody submits a patch that still works on 5.8.x, I'm happy to apply it. That patch should then also move some code from parent.pm to use Module::Load::_to_file()
  Thu Dec 26 05:26:35 2019 corion [...] cpan.org - Status changed from 'open' to 'resolved'