|
1 |
|
2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329 |
|
3 CONFIRM:http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8 |
|
4 |
|
5 From 1735f6f53ca19f99c6e9e39496c486af323ba6a8 Mon Sep 17 00:00:00 2001 |
|
6 From: Brian Carlson <[email protected]> |
|
7 Date: Wed, 28 Nov 2012 08:54:33 -0500 |
|
8 Subject: [PATCH] Fix misparsing of maketext strings. |
|
9 |
|
10 Case 61251: This commit fixes a misparse of maketext strings that could |
|
11 lead to arbitrary code execution. Basically, maketext was compiling |
|
12 bracket notation into functions, but neglected to escape backslashes |
|
13 inside the content or die on fully-qualified method names when |
|
14 generating the code. This change escapes all such backslashes and dies |
|
15 when a method name with a colon or apostrophe is specified. |
|
16 --- |
|
17 AUTHORS | 1 + |
|
18 dist/Locale-Maketext/lib/Locale/Maketext.pm | 24 ++++++++---------------- |
|
19 2 files changed, 9 insertions(+), 16 deletions(-) |
|
20 |
|
21 diff --git a/AUTHORS b/AUTHORS |
|
22 index 70734b0..009dea0 100644 |
|
23 --- a/AUTHORS |
|
24 +++ b/AUTHORS |
|
25 @@ -154,6 +154,7 @@ Breno G. de Oliveira <[email protected]> |
|
26 Brent Dax <[email protected]> |
|
27 Brooks D Boyd |
|
28 Brian Callaghan <[email protected]> |
|
29 +Brian Carlson <[email protected]> |
|
30 Brian Clarke <[email protected]> |
|
31 brian d foy <[email protected]> |
|
32 Brian Fraser <[email protected]> |
|
33 diff --git a/dist/Locale-Maketext/lib/Locale/Maketext.pm b/dist/Locale-Maketext/lib/Locale/Maketext.pm |
|
34 index 4822027..63e5fba 100644 |
|
35 --- a/dist/Locale-Maketext/lib/Locale/Maketext.pm |
|
36 +++ b/dist/Locale-Maketext/lib/Locale/Maketext.pm |
|
37 @@ -625,21 +625,9 @@ sub _compile { |
|
38 # 0-length method name means to just interpolate: |
|
39 push @code, ' ('; |
|
40 } |
|
41 - elsif($m =~ /^\w+(?:\:\:\w+)*$/s |
|
42 - and $m !~ m/(?:^|\:)\d/s |
|
43 - # exclude starting a (sub)package or symbol with a digit |
|
44 + elsif($m =~ /^\w+$/s |
|
45 + # exclude anything fancy, especially fully-qualified module names |
|
46 ) { |
|
47 - # Yes, it even supports the demented (and undocumented?) |
|
48 - # $obj->Foo::bar(...) syntax. |
|
49 - $target->_die_pointing( |
|
50 - $string_to_compile, q{Can't use "SUPER::" in a bracket-group method}, |
|
51 - 2 + length($c[-1]) |
|
52 - ) |
|
53 - if $m =~ m/^SUPER::/s; |
|
54 - # Because for SUPER:: to work, we'd have to compile this into |
|
55 - # the right package, and that seems just not worth the bother, |
|
56 - # unless someone convinces me otherwise. |
|
57 - |
|
58 push @code, ' $_[0]->' . $m . '('; |
|
59 } |
|
60 else { |
|
61 @@ -693,7 +681,9 @@ sub _compile { |
|
62 elsif(substr($1,0,1) ne '~') { |
|
63 # it's stuff not containing "~" or "[" or "]" |
|
64 # i.e., a literal blob |
|
65 - $c[-1] .= $1; |
|
66 + my $text = $1; |
|
67 + $text =~ s/\\/\\\\/g; |
|
68 + $c[-1] .= $text; |
|
69 |
|
70 } |
|
71 elsif($1 eq '~~') { # "~~" |
|
72 @@ -731,7 +721,9 @@ sub _compile { |
|
73 else { |
|
74 # It's a "~X" where X is not a special character. |
|
75 # Consider it a literal ~ and X. |
|
76 - $c[-1] .= $1; |
|
77 + my $text = $1; |
|
78 + $text =~ s/\\/\\\\/g; |
|
79 + $c[-1] .= $text; |
|
80 } |
|
81 } |
|
82 } |
|
83 -- |
|
84 1.7.4.1 |
|
85 |