This is a live mirror of the Perl 5 development currently hosted at https://github.com/perl/perl5
Validate the 'require Bare::Word' pathname.
At runtime in require, validate the generated filename after translation
of '::' to '/' (and possible conversion from VMS to Unix format) to keep
the code simpler. Reject empty module names, module names starting with
'/' or '.' (ie absolute paths, hidden files, and '..'), and module names
containing NUL bytes or '/.' (ie hidden files and '..').
Add a test for Perl_load_module(), and check that it now rejects module
names which fall foul of the above rules.
Most of these can't trigger for a sinple bareword require since the
illegal module name will already have been rejected during parsing. However,
the Perl_load_module() fakes up a rquire optree including a bareword
OP_CONST, which *isn't* restricted by the lexer.
Note that this doesn't apply to non-bareword pathnames: these are both
unaffected:
require "/foo/bar.pm";
$x = "/foo/bar.pm"; require $x;
[ This is cherry-picked from a branch Nicholas wrote 4 years ago, but
which was never merged. I've kept the body of the diff the same, modulo
rebasing, but re-worded the commit title and message.
Only one test was changed: the final one in load-module.t, since a
\0 in a pathname is now trapped earlier and gives a "can't locate" error
instead. For the same reason, it also required the addition of
"no warnings 'syscalls';".
- DAPM ]