diff options
| author | shige <shige@FreeBSD.org> | 2003-10-01 22:17:57 +0800 |
|---|---|---|
| committer | shige <shige@FreeBSD.org> | 2003-10-01 22:17:57 +0800 |
| commit | 0dc18b5927377443e80ee77afc7b7557eae0f2dd (patch) | |
| tree | 6c6b7ff6189b8a76acca6690ac19483b6eab5087 /japanese | |
| parent | 4f55566b1a62b6e6f3d19f7278c7e4d1942ee162 (diff) | |
| download | freebsd-ports-gnome-0dc18b5927377443e80ee77afc7b7557eae0f2dd.tar.gz freebsd-ports-gnome-0dc18b5927377443e80ee77afc7b7557eae0f2dd.tar.zst freebsd-ports-gnome-0dc18b5927377443e80ee77afc7b7557eae0f2dd.zip | |
Fix Safe.pm security hole.
PR: ports/57316
Submitted by: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
Diffstat (limited to 'japanese')
| -rw-r--r-- | japanese/perl5/files/patch-Safe.pm | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/japanese/perl5/files/patch-Safe.pm b/japanese/perl5/files/patch-Safe.pm new file mode 100644 index 000000000000..63e9e6391dad --- /dev/null +++ b/japanese/perl5/files/patch-Safe.pm @@ -0,0 +1,45 @@ +--- ext/Opcode/Safe.pm.orig Fri Jan 22 10:03:55 1999 ++++ ext/Opcode/Safe.pm Wed Oct 1 23:08:23 2003 +@@ -214,11 +215,11 @@ + # Create anon sub ref in root of compartment. + # Uses a closure (on $expr) to pass in the code to be executed. + # (eval on one line to keep line numbers as expected by caller) +- my $evalcode = sprintf('package %s; sub { eval $expr; }', $root); ++ my $evalcode = sprintf('package %s; sub { @_ = (); eval $expr; }', $root); + my $evalsub; + + if ($strict) { use strict; $evalsub = eval $evalcode; } + else { no strict; $evalsub = eval $evalcode; } + + return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub); + } +@@ -228,7 +229,7 @@ + my $root = $obj->{Root}; + + my $evalsub = eval +- sprintf('package %s; sub { do $file }', $root); ++ sprintf('package %s; sub { @_ = (); do $file }', $root); + return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub); + } + +@@ -383,8 +384,9 @@ + This is almost identical to exporting variables using the L<Exporter(3)> + module. + +-Each NAME must be the B<name> of a variable, typically with the leading +-type identifier included. A bareword is treated as a function name. ++Each NAME must be the B<name> of a non-lexical variable, typically ++with the leading type identifier included. A bareword is treated as a ++function name. + + Examples of legal names are '$foo' for a scalar, '@foo' for an + array, '%foo' for a hash, '&foo' or 'foo' for a subroutine and '*foo' +@@ -426,7 +428,7 @@ + Any attempt by the code in STRING to use an operator which is not permitted + by the compartment will cause an error (at run-time of the main program + but at compile-time for the code in STRING). The error is of the form +-"%s trapped by operation mask operation...". ++"'%s' trapped by operation mask...". + + If an operation is trapped in this way, then the code in STRING will + not be executed. If such a trapped operation occurs or any other |