Skip Menu |

This queue is for tickets about the Moo CPAN distribution.

Report information
The Basics
Id: 81072
Status: resolved
Priority: 0/
Queue: Moo

Owner: Nobody in particular
Requestors: mail [...]

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)

Subject: Loading roles uses $_ in a very fragile way.
Download (untitled) / with headers
text/plain 711b
The code Moo::Role uses to apply roles is this: sub apply_roles_to_package { my ($me, $to, @roles) = @_; $me->_inhale_if_moose($_) for @roles; $me->SUPER::apply_roles_to_package($to, @roles); } Within the for loop, global $_ is aliased to the individual roles in the @roles array. Now, _inhale_if_moose ultimately loads the role module if it's not already been loaded. The role module (and any other modules that are loaded by it) can alter $_ and thus alter the contents of the @roles array which then gets passed to SUPER::apply_roles_to_package! There is a minimal test case, plus a patch to fix Moo::Role attached. Role::Tiny may also be vulnerable, but I've not checked.
Subject: moo-role-bug.tar.gz
Download moo-role-bug.tar.gz
application/x-gzip 701b

Message body not shown because it is not plain text.

Moo::_set_superclasses also seems vulnerable.
Download (untitled) / with headers
text/plain 133b
This is now fixed in git master for Moo->_set_superclasses, Moo::Role- Show quoted text
>apply_roles_to_package and Moo::Role->create_class_with_roles
Fixed in 1.000006, just uploaded to CPAN

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to