Bug#923223: XML::Parser::parsefile() uses 2-argument open
Niko Tyni
ntyni at debian.org
Thu Feb 28 17:58:47 GMT 2019
On Thu, Feb 28, 2019 at 11:50:04AM +0100, Xavier wrote:
> Patch is ready in salsa repo:
>
> if (ref $file or $file eq '-') {
> open(FILE, $file) or croak "Couldn't open $file:\n$!";
> } else {
> open(FILE, '<', $file) or croak "Couldn't open $file:\n$!";
> }
>
> Successfully tested with xmltv. I propose to push as this for now to
> close bug before freeze. This patch fixes security bug since strange
> filename are no more interpreted and autopkgtest regression is fixed.
What kind of references did you encounter that made it necessary to
fall back to 2-arg open on all references? They might still stringify
to nasty things.
% perl -e 'package Foo; use overload q{""} => sub { return ${$_[0]} }; 1; package main; my $s = "> /etc/passwd"; my $foo = bless \$s, "Foo"; print qq(value: "$foo" ref:) . ref($foo) . "\n"; open(my $fh, $foo) or die $!'
value: "> /etc/passwd" ref:Foo
Permission denied at -e line 1.
That said, this does seem quite far fetched. I expect the patch fixes
all the command line injection issues caused by the 2-arg open just fine
and doesn't make things any worse in these more obscure scenarios.
--
Niko Tyni ntyni at debian.org
More information about the pkg-perl-maintainers
mailing list