Earlier safety check for @inc entry in pp_require.

In order to make sure we find embedded NULs early enough, before the directories in @inc have been through library calls that use C strings, check each directory in pp_require before concatenating a filename onto it.
Perl · Sep 17, 2013 · ddc65b6 · ddc65b6
1 parent 21869ca
commit ddc65b6
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/pp_ctl.c b/pp_ctl.c
@@ -3969,6 +3969,8 @@ PP(pp_require)
 			dirlen = 0;
 		    }
 
+		    if (!IS_SAFE_SYSCALL(dir, dirlen, "@INC entry", "require"))
+			continue;
 #ifdef VMS
 		    if (((unixdirbuf = SvPVX(sv_2mortal(newSVpv("", VMS_MAXRSS-1)))) == NULL)
 			|| ((unixdir = tounixpath(dir, unixdirbuf)) == NULL))

diff --git a/t/op/require_errors.t b/t/op/require_errors.t
@@ -128,7 +128,7 @@ like $@, qr/^Can't locate strict\.pm\\0invalid: /, 'do nul check';
   local @INC = @INC;
   unshift @INC, "lib\0invalid";
   eval { require "unknown.pm" };
-  like $WARN, qr{^Invalid \\0 character in pathname for require: lib\\0invalid/unknown\.pm at }, 'nul warning';
+  like $WARN, qr{^Invalid \\0 character in \@INC entry for require: lib\\0invalid at }, 'nul warning';
 }
 eval "require strict\0::invalid;";
 like $@, qr/^syntax error at \(eval \d+\) line 1/, 'parse error with \0 in barewords module names';