|
 |
292b33 |
From 1735f6f53ca19f99c6e9e39496c486af323ba6a8 Mon Sep 17 00:00:00 2001
|
|
|
292b33 |
From: Brian Carlson <brian.carlson@cpanel.net>
|
|
|
292b33 |
Date: Wed, 28 Nov 2012 08:54:33 -0500
|
|
|
292b33 |
Subject: [PATCH] Fix misparsing of maketext strings.
|
|
|
292b33 |
|
|
|
292b33 |
Case 61251: This commit fixes a misparse of maketext strings that could
|
|
|
292b33 |
lead to arbitrary code execution. Basically, maketext was compiling
|
|
|
292b33 |
bracket notation into functions, but neglected to escape backslashes
|
|
|
292b33 |
inside the content or die on fully-qualified method names when
|
|
|
292b33 |
generating the code. This change escapes all such backslashes and dies
|
|
|
292b33 |
when a method name with a colon or apostrophe is specified.
|
|
|
292b33 |
---
|
|
|
292b33 |
AUTHORS | 1 +
|
|
|
292b33 |
dist/Locale-Maketext/lib/Locale/Maketext.pm | 24 ++++++++----------------
|
|
|
292b33 |
2 files changed, 9 insertions(+), 16 deletions(-)
|
|
|
292b33 |
|
|
|
292b33 |
diff --git a/AUTHORS b/AUTHORS
|
|
|
292b33 |
index 70734b0..009dea0 100644
|
|
|
292b33 |
--- a/AUTHORS
|
|
|
292b33 |
+++ b/AUTHORS
|
|
|
292b33 |
@@ -154,6 +154,7 @@ Breno G. de Oliveira <garu@cpan.org>
|
|
|
292b33 |
Brent Dax <brentdax@cpan.org>
|
|
|
292b33 |
Brooks D Boyd
|
|
|
292b33 |
Brian Callaghan <callagh@itginc.com>
|
|
|
292b33 |
+Brian Carlson <brian.carlson@cpanel.net>
|
|
|
292b33 |
Brian Clarke <clarke@appliedmeta.com>
|
|
|
292b33 |
brian d foy <brian.d.foy@gmail.com>
|
|
|
292b33 |
Brian Fraser <fraserbn@gmail.com>
|
|
|
292b33 |
diff --git a/dist/Locale-Maketext/lib/Locale/Maketext.pm b/dist/Locale-Maketext/lib/Locale/Maketext.pm
|
|
|
292b33 |
index 4822027..63e5fba 100644
|
|
|
292b33 |
--- a/dist/Locale-Maketext/lib/Locale/Maketext.pm
|
|
|
292b33 |
+++ b/dist/Locale-Maketext/lib/Locale/Maketext.pm
|
|
|
292b33 |
@@ -625,21 +625,9 @@ sub _compile {
|
|
|
292b33 |
# 0-length method name means to just interpolate:
|
|
|
292b33 |
push @code, ' (';
|
|
|
292b33 |
}
|
|
|
292b33 |
- elsif($m =~ /^\w+(?:\:\:\w+)*$/s
|
|
|
292b33 |
- and $m !~ m/(?:^|\:)\d/s
|
|
|
292b33 |
- # exclude starting a (sub)package or symbol with a digit
|
|
|
292b33 |
+ elsif($m =~ /^\w+$/s
|
|
|
292b33 |
+ # exclude anything fancy, especially fully-qualified module names
|
|
|
292b33 |
) {
|
|
|
292b33 |
- # Yes, it even supports the demented (and undocumented?)
|
|
|
292b33 |
- # $obj->Foo::bar(...) syntax.
|
|
|
292b33 |
- $target->_die_pointing(
|
|
|
292b33 |
- $string_to_compile, q{Can't use "SUPER::" in a bracket-group method},
|
|
|
292b33 |
- 2 + length($c[-1])
|
|
|
292b33 |
- )
|
|
|
292b33 |
- if $m =~ m/^SUPER::/s;
|
|
|
292b33 |
- # Because for SUPER:: to work, we'd have to compile this into
|
|
|
292b33 |
- # the right package, and that seems just not worth the bother,
|
|
|
292b33 |
- # unless someone convinces me otherwise.
|
|
|
292b33 |
-
|
|
|
292b33 |
push @code, ' $_[0]->' . $m . '(';
|
|
|
292b33 |
}
|
|
|
292b33 |
else {
|
|
|
292b33 |
@@ -693,7 +681,9 @@ sub _compile {
|
|
|
292b33 |
elsif(substr($1,0,1) ne '~') {
|
|
|
292b33 |
# it's stuff not containing "~" or "[" or "]"
|
|
|
292b33 |
# i.e., a literal blob
|
|
|
292b33 |
- $c[-1] .= $1;
|
|
|
292b33 |
+ my $text = $1;
|
|
|
292b33 |
+ $text =~ s/\\/\\\\/g;
|
|
|
292b33 |
+ $c[-1] .= $text;
|
|
|
292b33 |
|
|
|
292b33 |
}
|
|
|
292b33 |
elsif($1 eq '~~') { # "~~"
|
|
|
292b33 |
@@ -731,7 +721,9 @@ sub _compile {
|
|
|
292b33 |
else {
|
|
|
292b33 |
# It's a "~X" where X is not a special character.
|
|
|
292b33 |
# Consider it a literal ~ and X.
|
|
|
292b33 |
- $c[-1] .= $1;
|
|
|
292b33 |
+ my $text = $1;
|
|
|
292b33 |
+ $text =~ s/\\/\\\\/g;
|
|
|
292b33 |
+ $c[-1] .= $text;
|
|
|
292b33 |
}
|
|
|
292b33 |
}
|
|
|
292b33 |
}
|
|
|
292b33 |
--
|
|
|
292b33 |
1.7.11.7
|
|
|
292b33 |
|