Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

regex injection allows arbitrary execution using dynamic method lookup #6168

Closed
p6rt opened this issue Mar 30, 2017 · 7 comments
Closed

regex injection allows arbitrary execution using dynamic method lookup #6168

p6rt opened this issue Mar 30, 2017 · 7 comments

Comments

@p6rt
Copy link

p6rt commented Mar 30, 2017

Migrated from rt.perl.org#131079 (status was 'resolved')

Searchable as RT131079$

@p6rt
Copy link
Author

p6rt commented Mar 30, 2017

From @LLFourn

my $regex-from-user = '{ shell "/bin/sh" }';
try say "foo" ~~ /<$regex-from-user>/; # won't work
$regex-from-user = '<​::(shell "/bin/sh")>';
try say "foo" ~~ /<$regex-from-user>/; # you got owned

@p6rt
Copy link
Author

p6rt commented Sep 23, 2017

From @skids

On Thu, 30 Mar 2017 05​:41​:29 -0700, lloyd.fourn@​gmail.com wrote​:

my $regex-from-user = '{ shell "/bin/sh" }';
try say "foo" ~~ /<$regex-from-user>/; # won't work
$regex-from-user = '<​::(shell "/bin/sh")>';
try say "foo" ~~ /<$regex-from-user>/; # you got owned

rakudo PR 1168 has been submitted to deal with this issue.

@p6rt
Copy link
Author

p6rt commented Sep 23, 2017

The RT System itself - Status changed from 'new' to 'open'

@p6rt
Copy link
Author

p6rt commented Sep 24, 2017

From @skids

On Sat, 23 Sep 2017 06​:59​:18 -0700, bri@​abrij.org wrote​:

On Thu, 30 Mar 2017 05​:41​:29 -0700, lloyd.fourn@​gmail.com wrote​:

my $regex-from-user = '{ shell "/bin/sh" }';
try say "foo" ~~ /<$regex-from-user>/; # won't work
$regex-from-user = '<​::(shell "/bin/sh")>';
try say "foo" ~~ /<$regex-from-user>/; # you got owned

rakudo PR 1168 has been submitted to deal with this issue.

That patch is in now, but Zoffix pointed out that these cases still fall through the cracks.

See the PR notes for ongoing progress.

@p6rt
Copy link
Author

p6rt commented Sep 29, 2017

From @zoffixznet

PR is now merged​: rakudo/rakudo#1168

@p6rt
Copy link
Author

p6rt commented Sep 29, 2017

From @skids

On Fri, 29 Sep 2017 12​:05​:52 -0700, cpan@​zoffix.com wrote​:

PR is now merged​: rakudo/rakudo#1168

Tests now merged into roast via commit 6ae5f8ee2, so resolving this ticket.

@p6rt
Copy link
Author

p6rt commented Sep 29, 2017

@skids - Status changed from 'open' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant