This is a live mirror of the Perl 5 development currently hosted at https://github.com/perl/perl5
Avoid attacks on sitecustomize by using NUL delimiters to wrap filenames.
authorNicholas Clark <nick@ccl4.org>
Thu, 24 Nov 2011 17:11:32 +0000 (18:11 +0100)
committerNicholas Clark <nick@ccl4.org>
Sat, 3 Dec 2011 12:34:21 +0000 (13:34 +0100)
commitfc81b7184d0fd04bc43121a2a4a96d7863dfc569
tree8ccc5929502152ffb4092be4ffabf04d44c5ed19
parentc29067d7797853039f1acba2cddf71786ecd4b16
Avoid attacks on sitecustomize by using NUL delimiters to wrap filenames.

Previously the generated code used regular '' strings, which meant that a
crafted pathname containing ' characters could be used to inject code.
Until the previous commit, this was only a problem if building in or
Configuring to install to such a directory. Which, hopefully, would be
"obviously wrong" to anyone capable of building Perl from source.

However, fixing the bug that prevented sitecustomize being subject to
relocatable include now means that for a relocatable pearl, an end-user
controlled path can now reach the sitecusomize code.
perl.c