rpms / rh-perl524-perl-HTTP-Tiny

Clone
Source Code
GIT

Blame SOURCES/HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch

c7
  1.   d59553849ce1848e993f926d1df6b0c7715cef34
  2.   SOURCES
  3.   HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch
Blob History Raw
d59553 
From b239c95ea7a256cfee9b8848f1bd4d1df6e66444 Mon Sep 17 00:00:00 2001
d59553 
From: Tony Cook <tony@develop-help.com>
d59553 
Date: Wed, 27 Jul 2016 16:06:32 +1000
d59553 
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
d59553
d59553 
The final . perl adds to @INC can be used by an attacker to fake
d59553 
an optional module in a world writable directory for a process
d59553 
using HTTP::Tiny when run from that directory.
d59553
d59553 
Remove the default . from the end of @INC when loading optional
d59553 
modules.
d59553
d59553 
Closes #90
d59553 
---
d59553 
 lib/HTTP/Tiny.pm | 4 ++++
d59553 
 1 file changed, 4 insertions(+)
d59553
d59553 
diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm
d59553 
index f8059b7..ea6db53 100644
d59553 
--- a/lib/HTTP/Tiny.pm
d59553 
+++ b/lib/HTTP/Tiny.pm
d59553 
@@ -507,6 +507,8 @@ sub can_ssl {
d59553 
     my($ok, $reason) = (1, '');
d59553
d59553 
     # Need IO::Socket::SSL 1.42 for SSL_create_ctx_callback
d59553 
+    local @INC = @INC;
d59553 
+    pop @INC if $INC[-1] eq '.';
d59553 
     unless (eval {require IO::Socket::SSL; IO::Socket::SSL->VERSION(1.42)}) {
d59553 
         $ok = 0;
d59553 
         $reason .= qq/IO::Socket::SSL 1.42 must be installed for https support\n/;
d59553 
@@ -1571,6 +1573,8 @@ sub _find_CA_file {
d59553 
         return $ca_file;
d59553 
     }
d59553
d59553 
+    local @INC = @INC;
d59553 
+    pop @INC if $INC[-1] eq '.';
d59553 
     return Mozilla::CA::SSL_ca_file()
d59553 
         if eval { require Mozilla::CA; 1 };
d59553

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation