Bug #94866 for UNIVERSAL-require: Lack of validation of module names could potentially cause security problems

RT for rt.cpan.org

This queue is for tickets about the UNIVERSAL-require CPAN distribution.

Report information

The Basics

People

Bug Information

History Show all quoted text

Fri Apr 18 15:53:35 2014 perl [...] toby.ink - Ticket created

Subject:

Lack of validation of module names could potentially cause security problems

As noted by Schwern himself in: http://blogs.perl.org/users/michael_g_schwern/2011/10/how-not-to-load-a-module-or-bad-interfaces-make-good-people-do-bad-things.html One solution would be to make UNIVERSAL::require into a wrapper for Module::Runtime. Alternatively, you could just steal its regexp: qr/\A[A-Z_a-z][0-9A-Z_a-z]*(?:::[0-9A-Z_a-z]+)*\z/

Fri Apr 18 17:04:31 2014 NEILB [...] cpan.org - Correspondence added

Thanks, I'll deal with this tomorrow :-)

Fri Apr 18 17:04:32 2014 The RT System itself - Status changed from 'new' to 'open'

Fri Apr 18 17:04:32 2014 NEILB [...] cpan.org - Taken

Sat Apr 19 03:29:53 2014 NEILB [...] cpan.org - Correspondence added

Show quoted text

> Alternatively, you could just steal its regexp: > > qr/\A[A-Z_a-z][0-9A-Z_a-z]*(?:::[0-9A-Z_a-z]+)*\z/

I did this, thanks.

Sat Apr 19 03:29:54 2014 NEILB [...] cpan.org - Status changed from 'open' to 'resolved'

Sat Apr 19 03:29:55 2014 NEILB [...] cpan.org - Fixed in 0.17 added