Skip Menu |
 

This queue is for tickets about the Module-Find CPAN distribution.

Report information
The Basics
Id: 127657
Status: resolved
Priority: 0/
Queue: Module-Find

People
Owner: Nobody in particular
Requestors: ether [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: 0.15



Subject: security risk: wrong module can be loaded when using @ModuleDirs
MIME-Version: 1.0
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
Message-ID: <rt-4.0.18-7529-1542413634-365.0-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 331
Download (untitled) / with headers
text/plain 331b
@ModuleDirs only adjusts what directories are searched in, not what directories the module is loaded from... so if you search in one directory but the same module name exists in @INC, the 'eval "require $m"' will load the wrong file. This is a potential security risk. @INC should be localized to @ModuleDirs first, if it is set.
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-7529-1542413634-365.0-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <rt-4.0.18-7529-1542413634-365.0-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-25910-1577392115-38.127657-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 200
Download (untitled) / with headers
text/plain 200b
Thank you for reporting this. This is indeed a potential security risk (and a functional bug) when using setmoduledirs to set an array of directories that does not include @INC. I've fixed it in 0.15.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.