Skip Menu |

This queue is for tickets about the DateTime-Format-Duration CPAN distribution.

Report information
The Basics
Id: 97472
Status: new
Priority: 0/
Queue: DateTime-Format-Duration

People
Owner: Nobody in particular
Requestors: tsibley [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 1.03a
Fixed in: (no value)



Subject: Security issue if uncontrolled input is used in pattern with parse_duration
User-input in patterns is generally a bad idea (see also problems around sprintf), but it still shouldn't be this easy to run arbitrary code via a pattern: perl -MDateTime::Format::Duration -E ' DateTime::Format::Duration->new( pattern => q{\/; system("touch /tmp/ohnoes");#} )->parse_duration("ohhai") ' The part that makes this particular example work is that backslashes (\) aren't escaped, so patterns can avoid escaping of slashes (/) by proceeding them with a backslash. There are likely other ways to inject arbitrary Perl into the string eval as well, but I didn't dig further. It's also notable that quotemeta() isn't used on the format before transforming it into a regex. The root of the problem is the means by which a "parser" is built, relying on string eval instead of building up a collection of regexp objects.