Close the eval "require $module" security hole in Digest->new($algori…

…thm) Also the filter was incomplete.
gisle · Oct 2, 2011 · 33800e8 · 33800e8
1 parent 517c704
commit 33800e8
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/Digest.pm b/Digest.pm
@@ -24,7 +24,7 @@ sub new
     shift;  # class ignored
     my $algorithm = shift;
     my $impl = $MMAP{$algorithm} || do {
-        $algorithm =~ s/\W+//;
+        $algorithm =~ s/\W+//g;
         "Digest::$algorithm";
     };
     $impl = [$impl] unless ref($impl);
@@ -35,7 +35,9 @@ sub new
         ($class, @args) = @$class if ref($class);
         no strict 'refs';
         unless (exists ${"$class\::"}{"VERSION"}) {
-            eval "require $class";
+            my $pm_file = $class . ".pm";
+            $pm_file =~ s{::}{/}g;
+            eval { require $pm_file };
             if ($@) {
                 $err ||= $@;
                 next;

diff --git a/t/security.t b/t/security.t
@@ -0,0 +1,14 @@
+#!/usr/bin/env perl
+
+# Digest->new() had an exploitable eval
+
+use strict;
+use warnings;
+
+use Test::More tests => 1;
+
+use Digest;
+
+$LOL::PWNED = 0;
+eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) };
+is $LOL::PWNED, 0;