|Subject:||Storable::thaw called on untrusted inputs|
Spoon::Cookie in the Spoon CPAN module distribution allow storing data of any type on the client side browser using HTTP cookies. The data is serialized and deserialized using Perl's Storable module without any protections against tampering. This means any application using Spoon::Cookie will run Storable::thaw() on arbitrary untrusted user input. Storable is documented as being unsuitable for these purposes. From the Storable POD: Some features of Storable can lead to security vulnerabilities if you accept Storable documents from untrusted sources. Most obviously, the optional (off by default) CODE reference serialization feature allows transfer of code to the deserializing process. Furthermore, any serialized object will cause Storable to helpfully load the module corresponding to the class of the object in the deserializing module. For manipulated module names, this can load almost arbitrary code. Finally, the deserialized object's destructors will be invoked when the objects get destroyed in the deserializing process. Maliciously crafted Storable documents may put such objects in the value of a hash key that is overridden by another key/value pair in the same hash, thus causing immediate destructor execution.