Plack::Util::load_class security vulnerabilities #285

tobyink opened this Issue May 9, 2012 · 2 comments

2 participants


load_class doesn't, for example, check for things like "..::..::" in module names, which can lead to potential security issues if untrusted user input is passed to load_class.

This danger should either be mentioned in the documentation, or better checks should be performed before requiring a module. Module::Runtime (on CPAN) is a good example of how to check module names and require them.

plack member

I can argue that if untrusted user input is passed to this method it is vulnerable anyway.

But yes I know the long story about that:


Indeed - it's a dangerous thing to do. But the existence of the Plack::Util::load_class function may lull people into a false sense of security. ("Of course I can do it! Miyagawa has provided this cool function which will take care of all the tricky bits.") A prominent warning in the documentation would be a good start.

@miyagawa miyagawa closed this in 931e921 Aug 13, 2012
@miyagawa miyagawa added a commit that referenced this issue Aug 14, 2012
@miyagawa miyagawa Checking in changes prior to tagging of version 1.0002.
Changelog diff is:

diff --git a/Changes b/Changes
index 799d98c..d1144bf 100644
--- a/Changes
+++ b/Changes
@@ -1,5 +1,18 @@
 Go to for the roadmap and known issues.

+1.0002  Mon Aug 13 17:04:25 PDT 2012
+        - Added --no-default-middleware option to plackup #290
+    [BUG FIXES]
+        - Use C locale for AccessLog strftime #313
+        - Escape Plack::Request URI path using RFC 3986 definition (ssmccoy)
+        - Documentation improvements (ether, Tom Heady)
+        - Skip displaying ".." in Plack::App::Directory #277
+        - Document load_class() doesn't validate user input. #285
 1.0001  Thu Jul 26 16:24:13 PDT 2012
         - Deleted lots of code, methods and warnings that have been deprecated since 0.99
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment