Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Close the eval "require $module" security hole in Digest->new($algori…

…thm)

Also the filter was incomplete.
  • Loading branch information...
commit 33800e83550bcad19c4fc593874ec3497841fa1e 1 parent 517c704
Michael G. Schwern authored October 01, 2011

Showing 2 changed files with 18 additions and 2 deletions. Show diff stats Hide diff stats

  1. 6  Digest.pm
  2. 14  t/security.t
6  Digest.pm
@@ -24,7 +24,7 @@ sub new
24 24
     shift;  # class ignored
25 25
     my $algorithm = shift;
26 26
     my $impl = $MMAP{$algorithm} || do {
27  
-        $algorithm =~ s/\W+//;
  27
+        $algorithm =~ s/\W+//g;
28 28
         "Digest::$algorithm";
29 29
     };
30 30
     $impl = [$impl] unless ref($impl);
@@ -35,7 +35,9 @@ sub new
35 35
         ($class, @args) = @$class if ref($class);
36 36
         no strict 'refs';
37 37
         unless (exists ${"$class\::"}{"VERSION"}) {
38  
-            eval "require $class";
  38
+            my $pm_file = $class . ".pm";
  39
+            $pm_file =~ s{::}{/}g;
  40
+            eval { require $pm_file };
39 41
             if ($@) {
40 42
                 $err ||= $@;
41 43
                 next;
14  t/security.t
... ...
@@ -0,0 +1,14 @@
  1
+#!/usr/bin/env perl
  2
+
  3
+# Digest->new() had an exploitable eval
  4
+
  5
+use strict;
  6
+use warnings;
  7
+
  8
+use Test::More tests => 1;
  9
+
  10
+use Digest;
  11
+
  12
+$LOL::PWNED = 0;
  13
+eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) };
  14
+is $LOL::PWNED, 0;

0 notes on commit 33800e8

Please sign in to comment.
Something went wrong with that request. Please try again.