Skip Menu |
 

This queue is for tickets about the Moo CPAN distribution.

Report information
The Basics
Id: 81072
Status: resolved
Priority: 0/
Queue: Moo

People
Owner: Nobody in particular
Requestors: mail [...] tobyinkster.co.uk
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)



Subject: Loading roles uses $_ in a very fragile way.
Download (untitled) / with headers
text/plain 711b
The code Moo::Role uses to apply roles is this: sub apply_roles_to_package { my ($me, $to, @roles) = @_; $me->_inhale_if_moose($_) for @roles; $me->SUPER::apply_roles_to_package($to, @roles); } Within the for loop, global $_ is aliased to the individual roles in the @roles array. Now, _inhale_if_moose ultimately loads the role module if it's not already been loaded. The role module (and any other modules that are loaded by it) can alter $_ and thus alter the contents of the @roles array which then gets passed to SUPER::apply_roles_to_package! There is a minimal test case, plus a patch to fix Moo::Role attached. Role::Tiny may also be vulnerable, but I've not checked.
Subject: moo-role-bug.tar.gz
Download moo-role-bug.tar.gz
application/x-gzip 701b

Message body not shown because it is not plain text.

Moo::_set_superclasses also seems vulnerable.
Download (untitled) / with headers
text/plain 133b
This is now fixed in git master for Moo->_set_superclasses, Moo::Role- Show quoted text
>apply_roles_to_package and Moo::Role->create_class_with_roles
Fixed in 1.000006, just uploaded to CPAN


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.