Plack::Util::load_class security vulnerabilities #285

Closed
tobyink opened this Issue May 9, 2012 · 2 comments

2 participants

@tobyink

load_class doesn't, for example, check for things like "..::..::" in module names, which can lead to potential security issues if untrusted user input is passed to load_class.

This danger should either be mentioned in the documentation, or better checks should be performed before requiring a module. Module::Runtime (on CPAN) is a good example of how to check module names and require them.

@miyagawa
plack member

I can argue that if untrusted user input is passed to this method it is vulnerable anyway.

But yes I know the long story about that: http://blogs.perl.org/users/michael_g_schwern/2011/10/how-not-to-load-a-module-or-bad-interfaces-make-good-people-do-bad-things.html

@tobyink

Indeed - it's a dangerous thing to do. But the existence of the Plack::Util::load_class function may lull people into a false sense of security. ("Of course I can do it! Miyagawa has provided this cool function which will take care of all the tricky bits.") A prominent warning in the documentation would be a good start.

@miyagawa miyagawa closed this in 931e921 Aug 13, 2012
@miyagawa miyagawa added a commit that referenced this issue Aug 14, 2012
@miyagawa miyagawa Checking in changes prior to tagging of version 1.0002.
Changelog diff is:

diff --git a/Changes b/Changes
index 799d98c..d1144bf 100644
--- a/Changes
+++ b/Changes
@@ -1,5 +1,18 @@
 Go to http://github.com/plack/Plack/issues for the roadmap and known issues.

+1.0002  Mon Aug 13 17:04:25 PDT 2012
+    [NEW FEATURES]
+        - Added --no-default-middleware option to plackup #290
+
+    [BUG FIXES]
+        - Use C locale for AccessLog strftime #313
+        - Escape Plack::Request URI path using RFC 3986 definition (ssmccoy)
+
+    [IMPROVEMENTS]
+        - Documentation improvements (ether, Tom Heady)
+        - Skip displaying ".." in Plack::App::Directory #277
+        - Document load_class() doesn't validate user input. #285
+
 1.0001  Thu Jul 26 16:24:13 PDT 2012
     [INCOMPATIBLE CHANGES]
         - Deleted lots of code, methods and warnings that have been deprecated since 0.99
53f0f90
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment