Permalink
Browse files

Merge pull request #343 from plack/load_psgi-inc-search

Stop load_psgi from searching .psgi files from @inc
  • Loading branch information...
miyagawa committed Oct 16, 2012
2 parents 33a5552 + f579a39 commit 63882c67274947f5e1486daa098e75280b2ec68e
Showing with 36 additions and 8 deletions.
  1. +1 −0 .gitignore
  2. +19 −8 lib/Plack/Util.pm
  3. +1 −0 t/Plack-Util/inc/hello.psgi
  4. +15 −0 t/Plack-Util/load.t
View
@@ -1,6 +1,7 @@
META.yml
Makefile
inc/
!t/Plack-Util/inc/
pm_to_blib
blib
*~
View
@@ -123,12 +123,17 @@ package Plack::Sandbox::%s;
END_EVAL
}
sub _relativize {
my $file = shift;
$file =~ m!^/! ? $file : "./$file";
}
sub load_psgi {
my $stuff = shift;
local $ENV{PLACK_ENV} = $ENV{PLACK_ENV} || 'development';
my $file = $stuff =~ /^[a-zA-Z0-9\_\:]+$/ ? class_to_file($stuff) : $stuff;
my $file = $stuff =~ /^[a-zA-Z0-9\_\:]+$/ ? class_to_file($stuff) : _relativize($stuff);
my $app = _load_sandbox($file);
die "Error while loading $file: $@" if $@;
@@ -430,19 +435,25 @@ require the file to get PSGI application handler. If the file can't be
loaded (e.g. file doesn't exist or has a perl syntax error), it will
throw an exception.
Since version 1.0006, this function would not load PSGI files from
include paths (C<@INC>) unless it looks like a class name that only
consists of C<[A-Za-z0-9_:]>. For example:
Plack::Util::load_psgi("app.psgi"); # ./app.psgi
Plack::Util::load_psgi("/path/to/app.psgi"); # /path/to/app.psgi
Plack::Util::load_psgi("MyApp::PSGI"); # MyApp/PSGI.pm from @INC
B<Security>: If you give this function a class name or module name
that is loadable from your system, it will load the module. This could
lead to a security hole:
my $psgi = ...; # user-input: consider "Moose.pm"
$app = Plack::Util::load_psgi($psgi); # this does 'require "Moose.pm"'!
my $psgi = ...; # user-input: consider "Moose"
$app = Plack::Util::load_psgi($psgi); # this would lead to 'require "Moose.pm"'!
Generally speaking, passing an external input to this function is
considered very insecure. But if you really want to do that, be sure
to validate the argument passed to this function. Also, if you do not
want to accept an arbitrary class name but only load from a file path,
make sure that the argument C<$psgi_file_or_class> begins with C</> so
that Perl's built-in do function won't search the include path.
considered very insecure. If you really want to do that, validate that
a given file name contains dots (like C<foo.psgi>) and also turn it
into a full path in your caller's code.
=item run_app
@@ -0,0 +1 @@
die "Do not load this file";
View
@@ -52,4 +52,19 @@ use Test::More;
}
}
{
require Cwd;
my $cwd = Cwd::cwd();
chdir "t/Plack-Util";
local @INC = ("./inc", @INC);
my $app = Plack::Util::load_psgi("hello.psgi");
ok $app;
test_psgi $app, sub {
is $_[0]->(GET "/")->content, "Hello";
};
chdir $cwd;
}
done_testing;

0 comments on commit 63882c6

Please sign in to comment.