From b239c95ea7a256cfee9b8848f1bd4d1df6e66444 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 27 Jul 2016 16:06:32 +1000
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
The final . perl adds to @INC can be used by an attacker to fake
an optional module in a world writable directory for a process
using HTTP::Tiny when run from that directory.
Remove the default . from the end of @INC when loading optional
modules.
Closes #90
---
lib/HTTP/Tiny.pm | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm
index f8059b7..ea6db53 100644
--- a/lib/HTTP/Tiny.pm
+++ b/lib/HTTP/Tiny.pm
@@ -507,6 +507,8 @@ sub can_ssl {
my($ok, $reason) = (1, '');
# Need IO::Socket::SSL 1.42 for SSL_create_ctx_callback
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
unless (eval {require IO::Socket::SSL; IO::Socket::SSL->VERSION(1.42)}) {
$ok = 0;
$reason .= qq/IO::Socket::SSL 1.42 must be installed for https support\n/;
@@ -1571,6 +1573,8 @@ sub _find_CA_file {
return $ca_file;
}
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
return Mozilla::CA::SSL_ca_file()
if eval { require Mozilla::CA; 1 };