New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
require ::foo' will try to load /foo.pm #14861
Comments
From @jmdhAs mentioned in http://www.nntp.perl.org/group/perl.perl5.porters/2012/07/msg189909.html the bug which was initially described as a security bug is still valid even if not a security bug, and there was quite a bit of discussion about it. However I've not seen a perlbug, nor any recent discussion on the topic, so I'm filing this bug to hopefully provide a definitive record of the status of the issue. Thanks to all who have contributed to this discussion so far! Dominic |
From @rjbsThis ticket has fallen off the radar twice, but I am going to get it back on As mentioned in the ticket, find the original discussion (from 2012!!) here: Here's what we should do: * forbid any leading colons in require or use statements There is going to be some inconsistency either way, and this is the Patches solicited. 1: http://www.nntp.perl.org/group/perl.perl5.porters/2012/07/msg189936.html -- |
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Thu Jan 28 14:54:49 2016, perl.p5p@rjbs.manxome.org wrote:
Attached. Improvements to the messages and their documentation welcomed. Tony |
From @tonycoz0001-perl-125833-disallow-leading-colons-on-require-barew.patchFrom ef54951a9db6be28642e783d7d6980d8a96338c3 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 4 Feb 2016 14:35:03 +1100
Subject: [perl #125833] disallow leading colons on require bareword and use
---
pod/perldiag.pod | 16 ++++++++++++++++
t/lib/croak/toke | 12 ++++++++++++
toke.c | 4 ++++
3 files changed, 32 insertions(+)
diff --git a/pod/perldiag.pod b/pod/perldiag.pod
index ba653ba..4c096cd 100644
--- a/pod/perldiag.pod
+++ b/pod/perldiag.pod
@@ -3050,6 +3050,22 @@ L<perlfunc/last>.
that name, not even if you count where you were called from. See
L<perlfunc/last>.
+=item Leading colon not permitted for bareword require
+
+(F) Since C<::> in a bareword require is replaced with C</> a require
+of C<::Foo> would attempt to load F</Foo.pm>, which can be surprising.
+
+If you do need to load a module from an absolute path, specify the
+path as a string literal, eg:
+
+ require "/Foo.pm";
+
+=item Leading colon not permitted for use module name
+
+(F) Since C<::> in a module name for C<use> is replaced with C</> a
+C<use ::Foo> would attempt to load F</Foo.pm>, which can be
+surprising.
+
=item leaving effective %s failed
(F) While under the C<use filetest> pragma, switching the real and
diff --git a/t/lib/croak/toke b/t/lib/croak/toke
index 18dfa24..1b53743 100644
--- a/t/lib/croak/toke
+++ b/t/lib/croak/toke
@@ -302,3 +302,15 @@ Execution of - aborted due to compilation errors.
BEGIN <>
EXPECT
Illegal declaration of subroutine BEGIN at - line 1.
+########
+# NAME use ::Foo [perl #125833]
+use ::Foo;
+EXPECT
+Leading colon not permitted for use module name at - line 1, at end of line
+BEGIN not safe after errors--compilation aborted at - line 1.
+########
+# NAME require ::Foo [perl #125833]
+require ::Foo;
+EXPECT
+Leading colon not permitted for bareword require at - line 1, at end of line
+Execution of - aborted due to compilation errors.
diff --git a/toke.c b/toke.c
index 4a67857..3ca2254 100644
--- a/toke.c
+++ b/toke.c
@@ -4402,6 +4402,8 @@ S_tokenize_use(pTHX_ int is_use, char *s) {
}
else {
s = force_word(s,WORD,FALSE,TRUE);
+ if (*PL_tokenbuf == ':')
+ yyerror_pv("Leading colon not permitted for use module name", 0);
s = force_version(s, FALSE);
}
pl_yylval.ival = is_use;
@@ -8020,6 +8022,8 @@ Perl_yylex(pTHX)
GV_ADD | (UTF ? SVf_UTF8 : 0));
else if (*s == '<')
yyerror("<> at require-statement should be quotes");
+ if (*PL_tokenbuf == ':')
+ yyerror_pv("Leading colon not permitted for bareword require", 0);
}
if (orig_keyword == KEY_require) {
orig_keyword = 0;
--
2.1.4
|
From @rjbs* Tony Cook via RT <perlbug-followup@perl.org> [2016-02-03T22:36:04]
Thanks! This confused me at first: ~/code/perl5$ ./perl -I lib -e 'require :foo' Oh, it's a label! Well, no change from existing behavior, so okay! :-)
They looked good to me. -- |
From @ap* Ricardo Signes <perl.p5p@rjbs.manxome.org> [2016-02-08 03:30]:
In light of this:
… maybe reword the error message to “leading double colon”. </bikeshed> |
From @tonycozOn Sun Feb 07 19:46:50 2016, aristotle wrote:
Makes sense to me, though I just used '::'. Also switched to yyerror() instead of yyerror_pv(). Tony |
From @tonycoz0001-perl-125833-disallow-leading-colons-on-require-barew.patchFrom b88180ab9cc77343ec75d0a90014a2e2d4da1cd0 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Tue, 9 Feb 2016 10:41:13 +1100
Subject: [perl #125833] disallow leading colons on require bareword and use
---
pod/perldiag.pod | 16 ++++++++++++++++
t/lib/croak/toke | 12 ++++++++++++
toke.c | 4 ++++
3 files changed, 32 insertions(+)
diff --git a/pod/perldiag.pod b/pod/perldiag.pod
index ba653ba..3ea45bf 100644
--- a/pod/perldiag.pod
+++ b/pod/perldiag.pod
@@ -3050,6 +3050,22 @@ L<perlfunc/last>.
that name, not even if you count where you were called from. See
L<perlfunc/last>.
+=item Leading '::' not permitted for bareword require
+
+(F) Since C<::> in a bareword require is replaced with C</> a require
+of C<::Foo> would attempt to load F</Foo.pm>, which can be surprising.
+
+If you do need to load a module from an absolute path, specify the
+path as a string literal, eg:
+
+ require "/Foo.pm";
+
+=item Leading '::' not permitted for use module name
+
+(F) Since C<::> in a module name for C<use> is replaced with C</> a
+C<use ::Foo> would attempt to load F</Foo.pm>, which can be
+surprising.
+
=item leaving effective %s failed
(F) While under the C<use filetest> pragma, switching the real and
diff --git a/t/lib/croak/toke b/t/lib/croak/toke
index 18dfa24..7176390 100644
--- a/t/lib/croak/toke
+++ b/t/lib/croak/toke
@@ -302,3 +302,15 @@ Execution of - aborted due to compilation errors.
BEGIN <>
EXPECT
Illegal declaration of subroutine BEGIN at - line 1.
+########
+# NAME use ::Foo [perl #125833]
+use ::Foo;
+EXPECT
+Leading '::' not permitted for use module name at - line 1, at end of line
+BEGIN not safe after errors--compilation aborted at - line 1.
+########
+# NAME require ::Foo [perl #125833]
+require ::Foo;
+EXPECT
+Leading '::' not permitted for bareword require at - line 1, at end of line
+Execution of - aborted due to compilation errors.
diff --git a/toke.c b/toke.c
index 4a67857..185c9da 100644
--- a/toke.c
+++ b/toke.c
@@ -4402,6 +4402,8 @@ S_tokenize_use(pTHX_ int is_use, char *s) {
}
else {
s = force_word(s,WORD,FALSE,TRUE);
+ if (*PL_tokenbuf == ':')
+ yyerror("Leading '::' not permitted for use module name");
s = force_version(s, FALSE);
}
pl_yylval.ival = is_use;
@@ -8020,6 +8022,8 @@ Perl_yylex(pTHX)
GV_ADD | (UTF ? SVf_UTF8 : 0));
else if (*s == '<')
yyerror("<> at require-statement should be quotes");
+ if (*PL_tokenbuf == ':')
+ yyerror("Leading '::' not permitted for bareword require");
}
if (orig_keyword == KEY_require) {
orig_keyword = 0;
--
2.1.4
|
From @rjbsI've added this to the v5.25.1 blockers. Dave M. proposes an alternate patch in nntp.perl.org/group/perl.perl5.porters/235248 -- |
From @iabynOn Thu, Mar 24, 2016 at 07:08:35PM -0700, Ricardo SIGNES via RT wrote:
Now in blead as 8135bae [MERGE] disallow 'require ::Foo::Bar' etc -- |
@iabyn - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#125833 (status was 'resolved')
Searchable as RT125833$
The text was updated successfully, but these errors were encountered: