From b239c95ea7a256cfee9b8848f1bd4d1df6e66444 Mon Sep 17 00:00:00 2001 From: Tony Cook Date: Wed, 27 Jul 2016 16:06:32 +1000 Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default . The final . perl adds to @INC can be used by an attacker to fake an optional module in a world writable directory for a process using HTTP::Tiny when run from that directory. Remove the default . from the end of @INC when loading optional modules. Closes #90 --- lib/HTTP/Tiny.pm | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm index f8059b7..ea6db53 100644 --- a/lib/HTTP/Tiny.pm +++ b/lib/HTTP/Tiny.pm @@ -507,6 +507,8 @@ sub can_ssl { my($ok, $reason) = (1, ''); # Need IO::Socket::SSL 1.42 for SSL_create_ctx_callback + local @INC = @INC; + pop @INC if $INC[-1] eq '.'; unless (eval {require IO::Socket::SSL; IO::Socket::SSL->VERSION(1.42)}) { $ok = 0; $reason .= qq/IO::Socket::SSL 1.42 must be installed for https support\n/; @@ -1571,6 +1573,8 @@ sub _find_CA_file { return $ca_file; } + local @INC = @INC; + pop @INC if $INC[-1] eq '.'; return Mozilla::CA::SSL_ca_file() if eval { require Mozilla::CA; 1 };