Avoid attacks on sitecustomize by using NUL delimiters to wrap filenames.
authorNicholas Clark <nick@ccl4.org>
Thu, 24 Nov 2011 17:11:32 +0000 (18:11 +0100)
committerRicardo Signes <rjbs@cpan.org>
Wed, 21 Mar 2012 01:01:31 +0000 (21:01 -0400)
commitb7224ed8aa67348e9efec485fc3b621b0a8c55f5
tree30126e31065cf4c4eccbb64628cfbf8732e870b1
parentfba9bb10a66dbd0d6ef96e01d8cc0d38d34d04a0
Avoid attacks on sitecustomize by using NUL delimiters to wrap filenames.

Previously the generated code used regular '' strings, which meant that a
crafted pathname containing ' characters could be used to inject code.
Until the previous commit, this was only a problem if building in or
Configuring to install to such a directory. Which, hopefully, would be
"obviously wrong" to anyone capable of building Perl from source.

However, fixing the bug that prevented sitecustomize being subject to
relocatable include now means that for a relocatable pearl, an end-user
controlled path can now reach the sitecusomize code.
perl.c