Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
CVE-2016-1238: don't load optional modules from default .
App::Cpan attempts to load several optional modules, which an attacker
can use if cpan is run from a directory writable by other users, such
as /tmp.
- Loading branch information
Showing
with
16 additions
and
5 deletions.
-
+16
−5
lib/App/Cpan.pm
|
@@ -549,9 +549,20 @@ sub AUTOLOAD { 1 } |
|
|
sub DESTROY { 1 } |
|
|
} |
|
|
|
|
|
# load a module without searching the default entry for the current |
|
|
# directory |
|
|
sub _safe_load_module { |
|
|
my $name = shift; |
|
|
|
|
|
local @INC = @INC; |
|
|
pop @INC if $INC[-1] eq '.'; |
|
|
|
|
|
eval "require $name; 1"; |
|
|
} |
|
|
|
|
|
sub _init_logger |
|
|
{ |
|
|
my $log4perl_loaded = eval "require Log::Log4perl; 1"; |
|
|
my $log4perl_loaded = _safe_load_module("Log::Log4perl"); |
|
|
|
|
|
unless( $log4perl_loaded ) |
|
|
{ |
|
@@ -1020,7 +1031,7 @@ sub _load_local_lib # -I |
|
|
{ |
|
|
$logger->debug( "Loading local::lib" ); |
|
|
|
|
|
my $rc = eval { require local::lib; 1; }; |
|
|
my $rc = _safe_load_module("local::lib"); |
|
|
unless( $rc ) { |
|
|
$logger->die( "Could not load local::lib" ); |
|
|
} |
|
@@ -1160,7 +1171,7 @@ sub _get_file |
|
|
{ |
|
|
my $path = shift; |
|
|
|
|
|
my $loaded = eval "require LWP::Simple; 1;"; |
|
|
my $loaded = _safe_load_module("LWP::Simple"); |
|
|
croak "You need LWP::Simple to use features that fetch files from CPAN\n" |
|
|
unless $loaded; |
|
|
|
|
@@ -1182,7 +1193,7 @@ sub _gitify |
|
|
{ |
|
|
my $args = shift; |
|
|
|
|
|
my $loaded = eval "require Archive::Extract; 1;"; |
|
|
my $loaded = _safe_load_module("Archive::Extract"); |
|
|
croak "You need Archive::Extract to use features that gitify distributions\n" |
|
|
unless $loaded; |
|
|
|
|
@@ -1245,7 +1256,7 @@ sub _show_Changes |
|
|
sub _get_changes_file |
|
|
{ |
|
|
croak "Reading Changes files requires LWP::Simple and URI\n" |
|
|
unless eval "require LWP::Simple; require URI; 1"; |
|
|
unless _safe_load_module("LWP::Simple") && _safe_load_module("URI"); |
|
|
|
|
|
my $url = shift; |
|
|
|
|
|