Subject: | Security issue if uncontrolled input is used in pattern with parse_duration |
User-input in patterns is generally a bad idea (see also problems around sprintf), but it still shouldn't be this easy to run arbitrary code via a pattern:
perl -MDateTime::Format::Duration -E '
DateTime::Format::Duration->new( pattern => q{\/; system("touch /tmp/ohnoes");#} )->parse_duration("ohhai")
'
The part that makes this particular example work is that backslashes (\) aren't escaped, so patterns can avoid escaping of slashes (/) by proceeding them with a backslash. There are likely other ways to inject arbitrary Perl into the string eval as well, but I didn't dig further. It's also notable that quotemeta() isn't used on the format before transforming it into a regex. The root of the problem is the means by which a "parser" is built, relying on string eval instead of building up a collection of regexp objects.