From b239c95ea7a256cfee9b8848f1bd4d1df6e66444 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 27 Jul 2016 16:06:32 +1000
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .

The final . perl adds to @INC can be used by an attacker to fake
an optional module in a world writable directory for a process
using HTTP::Tiny when run from that directory.

Remove the default . from the end of @INC when loading optional
modules.

Closes #90
---
 lib/HTTP/Tiny.pm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm
index f8059b7..ea6db53 100644
--- a/lib/HTTP/Tiny.pm
+++ b/lib/HTTP/Tiny.pm
@@ -507,6 +507,8 @@ sub can_ssl {
     my($ok, $reason) = (1, '');
 
     # Need IO::Socket::SSL 1.42 for SSL_create_ctx_callback
+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
     unless (eval {require IO::Socket::SSL; IO::Socket::SSL->VERSION(1.42)}) {
         $ok = 0;
         $reason .= qq/IO::Socket::SSL 1.42 must be installed for https support\n/;
@@ -1571,6 +1573,8 @@ sub _find_CA_file {
         return $ca_file;
     }
 
+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
     return Mozilla::CA::SSL_ca_file()
         if eval { require Mozilla::CA; 1 };