[SRM] perl lenny upload (CVE-2010-2761 CVE-2010-4410 CVE-2010-4411 CVE-2010-1974)
On Fri, Jan 14, 2011 at 09:28:09AM +0200, Niko Tyni wrote:
> I thought stable would be fixed with a DSA, but as the next Lenny point
> release will be out real soon (Jan 22nd, stable NEW freezes on the 17th),
> I suppose that's just as good. Cc'ing the security team.
>
> I'll try to get a perl lenny upload (#606995) in stable NEW by Monday.
Moritz kindly reminded me that CVE-2010-1974 / #582978 is still unfixed
in stable. Release team, would you be OK with including a fix for that
in the spu upload as well?
Changes:
perl (5.10.0-19lenny3) stable; urgency=low
.
* [SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411:
fix CGI.pm MIME boundary and multiline header vulnerabilities.
(Closes: #606995)
* [SECURITY] CVE-2010-1974: Update to Safe-2.25, fixing code injection
and execution vulnerabilities. (Closes: #582978)
I'm attaching the patches I'd like to upload. I'm not including the
full debdiff as the build system in the perl lenny package makes the
patches show up twice, which is just noise in this context.
I'm afraid the fix for #582978 is not quite a minimal targeted fix. I'm
uncomfortable with extracting a more minimal fix from this, and I used
the same approach for squeeze/sid.
Moritz has acked this FWIW, and I've checked that the test suites of
the two reverse dependencies in stable that I'm aware of (safe-hole-perl
and libpetal-perl) don't show any regressions.
Please let me know if I can upload both or just one of these to
stable-proposed-updates.
Thanks for your work,
--
Niko Tyni ntyni@debian.org
From: Niko Tyni <ntyni@debian.org>
Subject: [PATCH] [CVE-2010-2761 CVE-2010-4410 CVE-2010-4411] CGI.pm MIME boundary and multiline header vulnerabilities
Origin: upstream
Bug-Debian: http://bugs.debian.org/606995
CVE-2010-2761 hardcoded MIME boundary, fixed in CGI.pm-3.50
CVE-2010-4410 CRLF injection vulnerability, fixed in CGI.pm-3.50
CVE-2010-4411 double CR/LF injection vulnerability, fixed in CGI.pm-3.51
---
MANIFEST | 2 +
lib/CGI.pm | 26 +++++++++++++++++++++++-
lib/CGI/t/headers.t | 47 ++++++++++++++++++++++++++++++++++++++++++++
lib/CGI/t/multipart_init.t | 20 ++++++++++++++++++
4 files changed, 94 insertions(+), 1 deletions(-)
create mode 100644 lib/CGI/t/headers.t
create mode 100644 lib/CGI/t/multipart_init.t
diff --git a/MANIFEST b/MANIFEST
index 490dc10..ab03edb 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -1535,7 +1535,9 @@ lib/CGI/t/cookie.t See if CGI::Cookie works
lib/CGI/t/fast.t See if CGI::Fast works (if FCGI is installed)
lib/CGI/t/form.t See if CGI.pm works
lib/CGI/t/function.t See if CGI.pm works
+lib/CGI/t/headers.t See if CGI.pm works
lib/CGI/t/html.t See if CGI.pm works
+lib/CGI/t/multipart_init.t See if CGI.pm works
lib/CGI/t/no_tabindex.t See if CGI.pm works
lib/CGI/t/pretty.t See if CGI.pm works
lib/CGI/t/push.t See if CGI::Push works
diff --git a/lib/CGI.pm b/lib/CGI.pm
index 1bc74a3..b6198a7 100644
--- a/lib/CGI.pm
+++ b/lib/CGI.pm
@@ -1379,7 +1379,14 @@ END_OF_FUNC
sub multipart_init {
my($self,@p) = self_or_default(@_);
my($boundary,@other) = rearrange([BOUNDARY],@p);
- $boundary = $boundary || '------- =_aaaaaaaaaa0';
+ if (!$boundary) {
+ $boundary = '------- =_';
+ my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z');
+ for (1..17) {
+ $boundary .= $chrs[rand(scalar @chrs)];
+ }
+ }
+
$self->{'separator'} = "$CRLF--$boundary$CRLF";
$self->{'final_separator'} = "$CRLF--$boundary--$CRLF";
$type = SERVER_PUSH($boundary);
@@ -1464,6 +1471,23 @@ sub header {
'EXPIRES','NPH','CHARSET',
'ATTACHMENT','P3P'],@p);
+ # CR escaping for values, per RFC 822
+ for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
+ if (defined $header) {
+ # From RFC 822:
+ # Unfolding is accomplished by regarding CRLF immediately
+ # followed by a LWSP-char as equivalent to the LWSP-char.
+ $header =~ s/$CRLF(\s)/$1/g;
+
+ # All other uses of newlines are invalid input.
+ if ($header =~ m/$CRLF|\015|\012/) {
+ # shorten very long values in the diagnostic
+ $header = substr($header,0,72).'...' if (length $header > 72);
+ die "Invalid header value contains a newline not followed by whitespace: $header";
+ }
+ }
+ }
+
$nph ||= $NPH;
$type ||= 'text/html' unless defined($type);
diff --git a/lib/CGI/t/headers.t b/lib/CGI/t/headers.t
new file mode 100644
index 0000000..661b74b
--- /dev/null
+++ b/lib/CGI/t/headers.t
@@ -0,0 +1,47 @@
+
+# Test that header generation is spec compliant.
+# References:
+# http://www.w3.org/Protocols/rfc2616/rfc2616.html
+# http://www.w3.org/Protocols/rfc822/3_Lexical.html
+
+use strict;
+use warnings;
+
+use Test::More 'no_plan';
+
+use CGI;
+
+my $cgi = CGI->new;
+
+like $cgi->header( -type => "text/html" ),
+ qr#Type: text/html#, 'known header, basic case: type => "text/html"';
+
+eval { $cgi->header( -type => "text/html".$CGI::CRLF."evil: stuff" ) };
+like($@,qr/contains a newline/,'invalid header blows up');
+
+like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
+ qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
+
+eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
+like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
+
+eval { $cgi->header( -foobar => $CGI::CRLF."Content-type: evil/header" ) };
+like($@,qr/contains a newline/, 'unknown header with leading newlines blows up');
+
+eval { $cgi->redirect( -type => "text/html".$CGI::CRLF."evil: stuff" ) };
+like($@,qr/contains a newline/,'redirect with known header with CRLF embedded blows up');
+
+eval { $cgi->redirect( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
+like($@,qr/contains a newline/,'redirect with unknown header with CRLF embedded blows up');
+
+eval { $cgi->redirect( $CGI::CRLF.$CGI::CRLF."Content-Type: text/html") };
+like($@,qr/contains a newline/,'redirect with leading newlines blows up');
+
+{
+ my $cgi = CGI->new('t=bogus%0A%0A<html>');
+ my $out;
+ eval { $out = $cgi->redirect( $cgi->param('t') ) };
+ like($@,qr/contains a newline/, "redirect does not allow double-newline injection");
+}
+
+
diff --git a/lib/CGI/t/multipart_init.t b/lib/CGI/t/multipart_init.t
new file mode 100644
index 0000000..f0a05e0
--- /dev/null
+++ b/lib/CGI/t/multipart_init.t
@@ -0,0 +1,20 @@
+use Test::More 'no_plan';
+
+use CGI;
+
+my $q = CGI->new;
+
+my $sv = $q->multipart_init;
+like( $sv, qr|Content-Type: multipart/x-mixed-replace;boundary="------- =|, 'multipart_init(), basic');
+
+like( $sv, qr/$CGI::CRLF$/, 'multipart_init(), ends in CRLF' );
+
+$sv = $q->multipart_init( 'this_is_the_boundary' );
+like( $sv, qr/boundary="this_is_the_boundary"/, 'multipart_init("simple_boundary")' );
+$sv = $q->multipart_init( -boundary => 'this_is_another_boundary' );
+like($sv,
+ qr/boundary="this_is_another_boundary"/, "multipart_init( -boundary => 'this_is_another_boundary')");
+
+$sv = $q->multipart_init;
+my $sv2 = $q->multipart_init;
+isnt($sv,$sv2,"due to random boundaries, multiple calls produce different results");
--
1.7.2.3
From: Niko Tyni <ntyni@debian.org>
Subject: [SECURITY] CVE-2010-1974: Update to Safe-2.25, fixing code injection and execution vulnerabilities.
Bug-Debian: http://bugs.debian.org/582978
Origin: upstream
---
MANIFEST | 4 +
ext/Opcode/Safe.pm | 255 +++++++++++++++++++++++++++++++++++---------
ext/Safe/t/safe1.t | 4 -
ext/Safe/t/safe2.t | 4 -
ext/Safe/t/safe3.t | 12 +--
ext/Safe/t/safeload.t | 26 +++++
ext/Safe/t/safeops.t | 16 ++--
ext/Safe/t/safesort.t | 61 +++++++++++
ext/Safe/t/safeuniversal.t | 12 +-
ext/Safe/t/safeutf8.t | 46 ++++++++
ext/Safe/t/safewrap.t | 39 +++++++
11 files changed, 399 insertions(+), 80 deletions(-)
create mode 100644 ext/Safe/t/safeload.t
create mode 100644 ext/Safe/t/safesort.t
create mode 100644 ext/Safe/t/safeutf8.t
create mode 100644 ext/Safe/t/safewrap.t
diff --git a/MANIFEST b/MANIFEST
index ab03edb..a2c4881 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -990,8 +990,12 @@ ext/re/t/re.t see if re pragma works
ext/Safe/t/safe1.t See if Safe works
ext/Safe/t/safe2.t See if Safe works
ext/Safe/t/safe3.t See if Safe works
+ext/Safe/t/safeload.t See if Safe works
+ext/Safe/t/safesort.t See if Safe works
ext/Safe/t/safeops.t Tests that all ops can be trapped by Safe
ext/Safe/t/safeuniversal.t Tests Safe with functions from universal.c
+ext/Safe/t/safeutf8.t See if Safe works
+ext/Safe/t/safewrap.t See if Safe works
ext/SDBM_File/Makefile.PL SDBM extension makefile writer
ext/SDBM_File/sdbm/biblio SDBM kit
ext/SDBM_File/sdbm/CHANGES SDBM kit
diff --git a/ext/Opcode/Safe.pm b/ext/Opcode/Safe.pm
index 68c60a6..bae9d3f 100644
--- a/ext/Opcode/Safe.pm
+++ b/ext/Opcode/Safe.pm
@@ -2,8 +2,10 @@ package Safe;
use 5.003_11;
use strict;
+use Scalar::Util qw(reftype);
+use B qw(sub_generation);
-$Safe::VERSION = "2.12";
+$Safe::VERSION = "2.25";
# *** Don't declare any lexicals above this point ***
#
@@ -26,7 +28,9 @@ sub lexless_anon_sub {
}
use Carp;
+BEGIN { eval q{
use Carp::Heavy;
+} }
use Opcode 1.01, qw(
opset opset_to_ops opmask_add
@@ -36,6 +40,23 @@ use Opcode 1.01, qw(
*ops_to_opset = \&opset; # Temporary alias for old Penguins
+# Regular expressions and other unicode-aware code may need to call
+# utf8->SWASHNEW (via perl's utf8.c). That will fail unless we share the
+# SWASHNEW method.
+# Sadly we can't just add utf8::SWASHNEW to $default_share because perl's
+# utf8.c code does a fetchmethod on SWASHNEW to check if utf8.pm is loaded,
+# and sharing makes it look like the method exists.
+# The simplest and most robust fix is to ensure the utf8 module is loaded when
+# Safe is loaded. Then we can add utf8::SWASHNEW to $default_share.
+require utf8;
+# we must ensure that utf8_heavy.pl, where SWASHNEW is defined, is loaded
+# but without depending on knowledge of that implementation detail.
+# This code (//i on a unicode string) ensures utf8 is fully loaded
+# and also loads the ToFold SWASH.
+# (Swashes are cached internally by perl in PL_utf8_* variables
+# independent of being inside/outside of Safe. So once loaded they can be)
+do { my $unicode = pack('U',0xC4).'1a'; $unicode =~ /\xE4/i; };
+# now we can safely include utf8::SWASHNEW in $default_share defined below.
my $default_root = 0;
# share *_ and functions defined in universal.c
@@ -44,7 +65,28 @@ my $default_root = 0;
my $default_share = [qw[
*_
&PerlIO::get_layers
+ &UNIVERSAL::isa
+ &UNIVERSAL::can
+ &UNIVERSAL::VERSION
+ &utf8::is_utf8
+ &utf8::valid
+ &utf8::encode
+ &utf8::decode
+ &utf8::upgrade
+ &utf8::downgrade
+ &utf8::native_to_unicode
+ &utf8::unicode_to_native
+ &utf8::SWASHNEW
+ $version::VERSION
+ $version::CLASS
+ $version::STRICT
+ $version::LAX
+ @version::ISA
+], ($] < 5.010 && qw[
+ &utf8::SWASHGET
+]), ($] >= 5.008001 && qw[
&Regexp::DESTROY
+]), ($] >= 5.010 && qw[
&re::is_regexp
&re::regname
&re::regnames
@@ -58,18 +100,7 @@ my $default_share = [qw[
&Tie::Hash::NamedCapture::NEXTKEY
&Tie::Hash::NamedCapture::SCALAR
&Tie::Hash::NamedCapture::flags
- &UNIVERSAL::isa
- &UNIVERSAL::can
&UNIVERSAL::DOES
- &UNIVERSAL::VERSION
- &utf8::is_utf8
- &utf8::valid
- &utf8::encode
- &utf8::decode
- &utf8::upgrade
- &utf8::downgrade
- &utf8::native_to_unicode
- &utf8::unicode_to_native
&version::()
&version::new
&version::(""
@@ -86,7 +117,14 @@ my $default_share = [qw[
&version::noop
&version::is_alpha
&version::qv
-]];
+ &version::vxs::declare
+ &version::vxs::qv
+ &version::vxs::_VERSION
+ &version::vxs::new
+ &version::vxs::parse
+]), ($] >= 5.011 && qw[
+ &re::regexp_pattern
+])];
sub new {
my($class, $root, $mask) = @_;
@@ -234,6 +272,7 @@ sub share_from {
my ($var, $type);
$type = $1 if ($var = $arg) =~ s/^(\W)//;
# warn "share_from $pkg $type $var";
+ for (1..2) { # assign twice to avoid any 'used once' warnings
*{$root."::$var"} = (!$type) ? \&{$pkg."::$var"}
: ($type eq '&') ? \&{$pkg."::$var"}
: ($type eq '$') ? \${$pkg."::$var"}
@@ -242,6 +281,7 @@ sub share_from {
: ($type eq '*') ? *{$pkg."::$var"}
: croak(qq(Can't share "$type$var" of unknown type));
}
+ }
$obj->share_record($pkg, $vars) unless $no_record or !$vars;
}
@@ -272,22 +312,111 @@ sub varglob {
return *{$obj->root()."::$var"};
}
+sub _clean_stash {
+ my ($root, $saved_refs) = @_;
+ $saved_refs ||= [];
+ no strict 'refs';
+ foreach my $hook (qw(DESTROY AUTOLOAD), grep /^\(/, keys %$root) {
+ push @$saved_refs, \*{$root.$hook};
+ delete ${$root}{$hook};
+ }
+
+ for (grep /::$/, keys %$root) {
+ next if \%{$root.$_} eq \%$root;
+ _clean_stash($root.$_, $saved_refs);
+ }
+}
sub reval {
my ($obj, $expr, $strict) = @_;
my $root = $obj->{Root};
my $evalsub = lexless_anon_sub($root,$strict, $expr);
- return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
+ # propagate context
+ my $sg = sub_generation();
+ my @subret = (wantarray)
+ ? Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub)
+ : scalar Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
+ _clean_stash($root.'::') if $sg != sub_generation();
+ return (wantarray) ? @subret : $subret[0];
+}
+
+
+sub wrap_code_refs_within {
+ my $obj = shift;
+
+ $obj->_find_code_refs('wrap_code_ref', @_);
}
+
+sub _find_code_refs {
+ my $obj = shift;
+ my $visitor = shift;
+
+ for my $item (@_) {
+ my $reftype = $item && reftype $item
+ or next;
+ if ($reftype eq 'ARRAY') {
+ $obj->_find_code_refs($visitor, @$item);
+ }
+ elsif ($reftype eq 'HASH') {
+ $obj->_find_code_refs($visitor, values %$item);
+ }
+ # XXX GLOBs?
+ elsif ($reftype eq 'CODE') {
+ $item = $obj->$visitor($item);
+}
+ }
+}
+
+
+sub wrap_code_ref {
+ my ($obj, $sub) = @_;
+
+ # wrap code ref $sub with _safe_call_sv so that, when called, the
+ # execution will happen with the compartment fully 'in effect'.
+
+ croak "Not a CODE reference"
+ if reftype $sub ne 'CODE';
+
+ my $ret = sub {
+ my @args = @_; # lexical to close over
+ my $sub_with_args = sub { $sub->(@args) };
+
+ my @subret;
+ my $error;
+ do {
+ local $@; # needed due to perl_call_sv(sv, G_EVAL|G_KEEPERR)
+ my $sg = sub_generation();
+ @subret = (wantarray)
+ ? Opcode::_safe_call_sv($obj->{Root}, $obj->{Mask}, $sub_with_args)
+ : scalar Opcode::_safe_call_sv($obj->{Root}, $obj->{Mask}, $sub_with_args);
+ $error = $@;
+ _clean_stash($obj->{Root}.'::') if $sg != sub_generation();
+ };
+ if ($error) { # rethrow exception
+ $error =~ s/\t\(in cleanup\) //; # prefix added by G_KEEPERR
+ die $error;
+ }
+ return (wantarray) ? @subret : $subret[0];
+ };
+
+ return $ret;
+}
+
+
sub rdo {
my ($obj, $file) = @_;
my $root = $obj->{Root};
+ my $sg = sub_generation();
my $evalsub = eval
sprintf('package %s; sub { @_ = (); do $file }', $root);
- return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
+ my @subret = (wantarray)
+ ? Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub)
+ : scalar Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
+ _clean_stash($root.'::') if $sg != sub_generation();
+ return (wantarray) ? @subret : $subret[0];
}
@@ -379,15 +508,7 @@ of this software.
Your mileage will vary. If in any doubt B<do not use it>.
-=head2 RECENT CHANGES
-
-The interface to the Safe module has changed quite dramatically since
-version 1 (as supplied with Perl5.002). Study these pages carefully if
-you have code written to use Safe version 1 because you will need to
-makes changes.
-
-
-=head2 Methods in class Safe
+=head1 METHODS
To create a new compartment, use
@@ -406,9 +527,7 @@ object returned by the above constructor. The object argument
is implicit in each case.
-=over 8
-
-=item permit (OP, ...)
+=head2 permit (OP, ...)
Permit the listed operators to be used when compiling code in the
compartment (in I<addition> to any operators already permitted).
@@ -416,29 +535,30 @@ compartment (in I<addition> to any operators already permitted).
You can list opcodes by names, or use a tag name; see
L<Opcode/"Predefined Opcode Tags">.
-=item permit_only (OP, ...)
+=head2 permit_only (OP, ...)
Permit I<only> the listed operators to be used when compiling code in
the compartment (I<no> other operators are permitted).
-=item deny (OP, ...)
+=head2 deny (OP, ...)
Deny the listed operators from being used when compiling code in the
compartment (other operators may still be permitted).
-=item deny_only (OP, ...)
+=head2 deny_only (OP, ...)
Deny I<only> the listed operators from being used when compiling code
-in the compartment (I<all> other operators will be permitted).
+in the compartment (I<all> other operators will be permitted, so you probably
+don't want to use this method).
-=item trap (OP, ...)
+=head2 trap (OP, ...)
-=item untrap (OP, ...)
+=head2 untrap (OP, ...)
The trap and untrap methods are synonyms for deny and permit
respectfully.
-=item share (NAME, ...)
+=head2 share (NAME, ...)
This shares the variable(s) in the argument list with the compartment.
This is almost identical to exporting variables using the L<Exporter>
@@ -454,9 +574,9 @@ for a glob (i.e. all symbol table entries associated with "foo",
including scalar, array, hash, sub and filehandle).
Each NAME is assumed to be in the calling package. See share_from
-for an alternative method (which share uses).
+for an alternative method (which C<share> uses).
-=item share_from (PACKAGE, ARRAYREF)
+=head2 share_from (PACKAGE, ARRAYREF)
This method is similar to share() but allows you to explicitly name the
package that symbols should be shared from. The symbol names (including
@@ -464,20 +584,29 @@ type characters) are supplied as an array reference.
$safe->share_from('main', [ '$foo', '%bar', 'func' ]);
+Names can include package names, which are relative to the specified PACKAGE.
+So these two calls have the same effect:
+
+ $safe->share_from('Scalar::Util', [ 'reftype' ]);
+ $safe->share_from('main', [ 'Scalar::Util::reftype' ]);
-=item varglob (VARNAME)
+=head2 varglob (VARNAME)
This returns a glob reference for the symbol table entry of VARNAME in
the package of the compartment. VARNAME must be the B<name> of a
-variable without any leading type marker. For example,
+variable without any leading type marker. For example:
+
+ ${$cpt->varglob('foo')} = "Hello world";
+
+has the same effect as:
$cpt = new Safe 'Root';
$Root::foo = "Hello world";
- # Equivalent version which doesn't need to know $cpt's package name:
- ${$cpt->varglob('foo')} = "Hello world";
+but avoids the need to know $cpt's package name.
-=item reval (STRING)
+
+=head2 reval (STRING, STRICT)
This evaluates STRING as perl code inside the compartment.
@@ -504,6 +633,10 @@ This behaviour differs from the beta distribution of the Safe extension
where earlier versions of perl made it hard to mimic the return
behaviour of the eval() command and the context was always scalar.
+The formerly undocumented STRICT argument sets strictness: if true
+'use strict;' is used, otherwise it uses 'no strict;'. B<Note>: if
+STRICT is omitted 'no strict;' is the default.
+
Some points to note:
If the entereval op is permitted then the code can use eval "..." to
@@ -538,14 +671,12 @@ the code in the compartment.
A similar effect applies to I<all> runtime symbol lookups in code
called from a compartment but not compiled within it.
-
-
-=item rdo (FILENAME)
+=head2 rdo (FILENAME)
This evaluates the contents of file FILENAME inside the compartment.
See above documentation on the B<reval> method for further details.
-=item root (NAMESPACE)
+=head2 root (NAMESPACE)
This method returns the name of the package that is the root of the
compartment's namespace.
@@ -554,7 +685,7 @@ Note that this behaviour differs from version 1.00 of the Safe module
where the root module could be used to change the namespace. That
functionality has been withdrawn pending deeper consideration.
-=item mask (MASK)
+=head2 mask (MASK)
This is a get-or-set method for the compartment's operator mask.
@@ -564,14 +695,34 @@ the compartment.
With the MASK argument present, it sets the operator mask for the
compartment (equivalent to calling the deny_only method).
-=back
+=head2 wrap_code_ref (CODEREF)
+
+Returns a reference to an anonymous subroutine that, when executed, will call
+CODEREF with the Safe compartment 'in effect'. In other words, with the
+package namespace adjusted and the opmask enabled.
+
+Note that the opmask doesn't affect the already compiled code, it only affects
+any I<further> compilation that the already compiled code may try to perform.
+
+This is particularly useful when applied to code references returned from reval().
+(It also provides a kind of workaround for RT#60374: "Safe.pm sort {} bug with
+-Dusethreads". See L<http://rt.perl.org/rt3//Public/Bug/Display.html?id=60374>
+for I<much> more detail.)
-=head2 Some Safety Issues
+=head2 wrap_code_refs_within (...)
-This section is currently just an outline of some of the things code in
-a compartment might do (intentionally or unintentionally) which can
-have an effect outside the compartment.
+Wraps any CODE references found within the arguments by replacing each with the
+result of calling L</wrap_code_ref> on the CODE reference. Any ARRAY or HASH
+references in the arguments are inspected recursively.
+
+Returns nothing.
+
+=head1 RISKS
+
+This section is just an outline of some of the things code in a compartment
+might do (intentionally or unintentionally) which can have an effect outside
+the compartment.
=over 8
@@ -609,7 +760,7 @@ but more subtle effect.
=back
-=head2 AUTHOR
+=head1 AUTHOR
Originally designed and implemented by Malcolm Beattie.
diff --git a/ext/Safe/t/safe1.t b/ext/Safe/t/safe1.t
index 6a3b908..385d661 100755
--- a/ext/Safe/t/safe1.t
+++ b/ext/Safe/t/safe1.t
@@ -1,10 +1,6 @@
#!./perl -w
$|=1;
BEGIN {
- if($ENV{PERL_CORE}) {
- chdir 't' if -d 't';
- @INC = '../lib';
- }
require Config; import Config;
if ($Config{'extensions'} !~ /\bOpcode\b/ && $Config{'osname'} ne 'VMS') {
print "1..0\n";
diff --git a/ext/Safe/t/safe2.t b/ext/Safe/t/safe2.t
index d0239d1..2548dcc 100755
--- a/ext/Safe/t/safe2.t
+++ b/ext/Safe/t/safe2.t
@@ -1,10 +1,6 @@
#!./perl -w
$|=1;
BEGIN {
- if($ENV{PERL_CORE}) {
- chdir 't' if -d 't';
- @INC = '../lib';
- }
require Config; import Config;
if ($Config{'extensions'} !~ /\bOpcode\b/ && $Config{'osname'} ne 'VMS') {
print "1..0\n";
diff --git a/ext/Safe/t/safe3.t b/ext/Safe/t/safe3.t
index 2d5f275..1f99f49 100644
--- a/ext/Safe/t/safe3.t
+++ b/ext/Safe/t/safe3.t
@@ -1,10 +1,6 @@
-#!perl
+#!perl -w
BEGIN {
- if ($ENV{PERL_CORE}) {
- chdir 't' if -d 't';
- @INC = '../lib';
- }
require Config; import Config;
if ($Config{'extensions'} !~ /\bOpcode\b/
&& $Config{'extensions'} !~ /\bPOSIX\b/
@@ -30,7 +26,8 @@ $safe->reval( qq{\$_[1] = qq/\0/ x } . $masksize );
# Check that it didn't work
$safe->reval( q{$x + $y} );
-like( $@, qr/^'?addition \(\+\)'? trapped by operation mask/,
+# Written this way to keep the Test::More that comes with perl 5.6.2 happy
+ok( $@ =~ /^'?addition \(\+\)'? trapped by operation mask/,
'opmask still in place with reval' );
my $safe2 = new Safe;
@@ -43,6 +40,7 @@ EOF
close $fh;
$safe2->rdo('nasty.pl');
$safe2->reval( q{$x + $y} );
-like( $@, qr/^'?addition \(\+\)'? trapped by operation mask/,
+# Written this way to keep the Test::More that comes with perl 5.6.2 happy
+ok( $@ =~ /^'?addition \(\+\)'? trapped by operation mask/,
'opmask still in place with rdo' );
END { unlink 'nasty.pl' }
diff --git a/ext/Safe/t/safeload.t b/ext/Safe/t/safeload.t
new file mode 100644
index 0000000..2d2c3cc
--- /dev/null
+++ b/ext/Safe/t/safeload.t
@@ -0,0 +1,26 @@
+#!perl
+
+BEGIN {
+ require Config;
+ import Config;
+ if ($Config{'extensions'} !~ /\bOpcode\b/) {
+ print "1..0\n";
+ exit 0;
+ }
+ # Can we load the version module ?
+ eval { require version; 1 } or do {
+ print "1..0 # no version.pm\n";
+ exit 0;
+ };
+ delete $INC{"version.pm"};
+}
+
+use strict;
+use Test::More;
+use Safe;
+plan(tests => 1);
+
+my $c = new Safe;
+$c->permit(qw(require caller entereval unpack));
+my $r = $c->reval(q{ use version; 1 });
+ok( defined $r, "Can load version.pm in a Safe compartment" ) or diag $@;
diff --git a/ext/Safe/t/safeops.t b/ext/Safe/t/safeops.t
index 7734e60..e8fa339 100644
--- a/ext/Safe/t/safeops.t
+++ b/ext/Safe/t/safeops.t
@@ -2,13 +2,9 @@
# Tests that all ops can be trapped by a Safe compartment
BEGIN {
- if ($ENV{PERL_CORE}) {
- chdir 't' if -d 't';
- @INC = '../lib';
- }
- else {
+ unless ($ENV{PERL_CORE}) {
# this won't work outside of the core, so exit
- print "1..0\n"; exit 0;
+ print "1..0 # skipped: PERL_CORE unset\n"; exit 0;
}
}
use Config;
@@ -49,7 +45,7 @@ plan(tests => scalar @op);
sub testop {
my ($op, $opname, $code) = @_;
pass("$op : skipped") and return if $code =~ /^SKIP/;
- pass("$op : skipped") and return if $code =~ m://: && $] < 5.009; # no dor
+ pass("$op : skipped") and return if $code =~ m://|~~: && $] < 5.010;
my $c = new Safe;
$c->deny_only($op);
$c->reval($code);
@@ -423,4 +419,10 @@ setstate SKIP
method_named $x->y()
dor $x // $y
dorassign $x //= $y
+once SKIP {use feature 'state'; state $foo = 42;}
+say SKIP {use feature 'say'; say "foo";}
+smartmatch $x ~~ $y
+aeach SKIP each @t
+akeys SKIP keys @t
+avalues SKIP values @t
custom SKIP (no way)
diff --git a/ext/Safe/t/safesort.t b/ext/Safe/t/safesort.t
new file mode 100644
index 0000000..797e155
--- /dev/null
+++ b/ext/Safe/t/safesort.t
@@ -0,0 +1,61 @@
+#!perl -w
+$|=1;
+BEGIN {
+ require Config; import Config;
+ if ($Config{'extensions'} !~ /\bOpcode\b/ && $Config{'osname'} ne 'VMS') {
+ print "1..0\n";
+ exit 0;
+ }
+}
+
+use Safe 1.00;
+use Test::More tests => 10;
+
+my $safe = Safe->new('PLPerl');
+$safe->permit_only(qw(:default sort));
+
+# check basic argument passing and context for anon-subs
+my $func = $safe->reval(q{ sub { @_ } });
+is_deeply [ $func->() ], [ ];
+is_deeply [ $func->("foo") ], [ "foo" ];
+
+my $func1 = $safe->reval(<<'EOS');
+
+ # uses quotes in { "$a" <=> $b } to avoid the optimizer replacing the block
+ # with a hardwired comparison
+ { package Pkg; sub p_sort { return sort { "$a" <=> $b } @_; } }
+ sub l_sort { return sort { "$a" <=> $b } @_; }
+
+ return sub { return join(",",l_sort(@_)), join(",",Pkg::p_sort(@_)) }
+
+EOS
+
+is $@, '', 'reval should not fail';
+is ref $func, 'CODE', 'reval should return a CODE ref';
+
+# $func1 will work in non-threaded perl
+# but RT#60374 "Safe.pm sort {} bug with -Dusethreads"
+# means the sorting won't work unless we wrap the code ref
+# such that it's executed with Safe 'in effect' at runtime
+my $func2 = $safe->wrap_code_ref($func1);
+
+my ($l_sorted, $p_sorted) = $func2->(3,1,2);
+is $l_sorted, "1,2,3";
+is $p_sorted, "1,2,3";
+
+# check other aspects of closures created inside Safe
+
+my $die_func = $safe->reval(q{ sub { die @_ if @_; 1 } });
+
+# check $@ not affected by successful call
+$@ = 42;
+$die_func->();
+is $@, 42, 'successful closure call should not alter $@';
+
+{
+ my $warns = 0;
+ local $SIG{__WARN__} = sub { $warns++ };
+ ok !eval { $die_func->("died\n"); 1 }, 'should die';
+ is $@, "died\n", '$@ should be set correctly';
+ is $warns, 0;
+}
diff --git a/ext/Safe/t/safeuniversal.t b/ext/Safe/t/safeuniversal.t
index d37d7ca..95867c5 100644
--- a/ext/Safe/t/safeuniversal.t
+++ b/ext/Safe/t/safeuniversal.t
@@ -1,10 +1,6 @@
#!perl
BEGIN {
- if ($ENV{PERL_CORE}) {
- chdir 't' if -d 't';
- @INC = '../lib';
- }
require Config;
import Config;
if ($Config{'extensions'} !~ /\bOpcode\b/) {
@@ -14,6 +10,7 @@ BEGIN {
}
use strict;
+use warnings;
use Test::More;
use Safe;
plan(tests => 6);
@@ -21,7 +18,10 @@ plan(tests => 6);
my $c = new Safe;
$c->permit(qw(require caller));
-my $r = $c->reval(q!
+my $no_warn_redef = ($] != 5.008009)
+ ? q(no warnings 'redefine';)
+ : q($SIG{__WARN__}=sub{};);
+my $r = $c->reval($no_warn_redef . q!
sub UNIVERSAL::isa { "pwned" }
(bless[],"Foo")->isa("Foo");
!);
@@ -31,7 +31,7 @@ is( (bless[],"Foo")->isa("Foo"), 1, "... but not outside" );
sub Foo::foo {}
-$r = $c->reval(q!
+$r = $c->reval($no_warn_redef . q!
sub UNIVERSAL::can { "pwned" }
(bless[],"Foo")->can("foo");
!);
diff --git a/ext/Safe/t/safeutf8.t b/ext/Safe/t/safeutf8.t
new file mode 100644
index 0000000..28441da
--- /dev/null
+++ b/ext/Safe/t/safeutf8.t
@@ -0,0 +1,46 @@
+#!perl -w
+$|=1;
+BEGIN {
+ require Config; import Config;
+ if ($Config{'extensions'} !~ /\bOpcode\b/ && $Config{'osname'} ne 'VMS') {
+ print "1..0\n";
+ exit 0;
+ }
+}
+
+use Test::More tests => 7;
+
+use Safe 1.00;
+use Opcode qw(full_opset);
+
+pass;
+
+my $safe = Safe->new('PLPerl');
+$safe->permit(qw(pack));
+
+# Expression that triggers require utf8 and call to SWASHNEW.
+# Fails with "Undefined subroutine PLPerl::utf8::SWASHNEW called"
+# if SWASHNEW is not shared, else returns true if unicode logic is working.
+my $trigger = q{ my $a = pack('U',0xC4); $a =~ /\\xE4/i };
+
+ok $safe->reval( $trigger ), 'trigger expression should return true';
+is $@, '', 'trigger expression should not die';
+
+# return a closure
+my $sub = $safe->reval(q{sub { warn pack('U',0xC4) }});
+
+# define code outside Safe that'll be triggered from inside
+my @warns;
+$SIG{__WARN__} = sub {
+ my $msg = shift;
+ # this regex requires a different SWASH digit data for \d)
+ # than the one used above and by the trigger code in Safe.pm
+ $msg =~ s/\(eval \d+\)/XXX/i; # uses IsDigit SWASH
+ push @warns, $msg;
+};
+
+is eval { $sub->() }, 1, 'warn should return 1';
+is $@, '', '__WARN__ hook should not die';
+is @warns, 1, 'should only be 1 warning';
+like $warns[0], qr/at XXX line/, 'warning should have been edited';
+
diff --git a/ext/Safe/t/safewrap.t b/ext/Safe/t/safewrap.t
new file mode 100644
index 0000000..27166f8
--- /dev/null
+++ b/ext/Safe/t/safewrap.t
@@ -0,0 +1,39 @@
+#!perl -w
+
+$|=1;
+BEGIN {
+ require Config; import Config;
+ if ($Config{'extensions'} !~ /\bOpcode\b/ && $Config{'osname'} ne 'VMS') {
+ print "1..0\n";
+ exit 0;
+ }
+}
+
+use strict;
+use Safe 1.00;
+use Test::More tests => 9;
+
+my $safe = Safe->new('PLPerl');
+$safe->permit_only(qw(:default sort));
+
+# eval within an eval: the outer eval is compiled into the sub, the inner is
+# compiled (by the outer) at runtime and so is subject to runtime opmask
+my $sub1 = sub { eval " eval '1+1' " };
+is $sub1->(), 2;
+
+my $sub1w = $safe->wrap_code_ref($sub1);
+is ref $sub1w, 'CODE';
+is eval { $sub1w->() }, undef;
+like $@, qr/eval .* trapped by operation mask/;
+
+is $sub1->(), 2, 'original ref should be unaffected';
+
+# setup args for wrap_code_refs_within including nested data
+my @args = (42, [[ 0, { sub => $sub1 }, 2 ]], 24);
+is $args[1][0][1]{sub}, $sub1;
+
+$safe->wrap_code_refs_within(@args);
+my $sub1w2 = $args[1][0][1]{sub};
+isnt $sub1w2, $sub1;
+is eval { $sub1w2->() }, undef;
+like $@, qr/eval .* trapped by operation mask/;
--
1.7.2.3
Reply to: