This is a live mirror of the Perl 5 development currently hosted at https://github.com/perl/perl5
Re: Perl PR: "Security holes in Sys::Syslog"
authorRonald J. Kimball <rjk@linguist.dartmouth.edu>
Tue, 6 Dec 2005 09:56:12 +0000 (04:56 -0500)
committerRafael Garcia-Suarez <rgarciasuarez@gmail.com>
Tue, 6 Dec 2005 14:56:28 +0000 (14:56 +0000)
Message-ID: <20051206145612.GA94530@penkwe.pair.com>

p4raw-id: //depot/perl@26278

ext/Sys/Syslog/Syslog.pm

index 56cf18a..d275c0e 100644 (file)
@@ -328,7 +328,14 @@ sub syslog {
 
     $whoami .= "[$$]" if our $lo_pid;
 
-    $mask =~ s/(?<!%)%m/$!/g;
+    if ($mask =~ /%m/) {
+       my $err = $!;
+       # escape percent signs if sprintf will be called
+       $err =~ s/%/%%/g if @_;
+       # replace %m with $err, if preceded by an even number of percent signs
+       $mask =~ s/(?<!%)((?:%%)*)%m/$1$err/g;
+    }
+
     $mask .= "\n" unless $mask =~ /\n$/;
     $message = @_ ? sprintf($mask, @_) : $mask;