require ::foo' will try to load /foo.pm #14861
Comments
From @jmdhAs mentioned in http://www.nntp.perl.org/group/perl.perl5.porters/2012/07/msg189909.html the bug which was initially described as a security bug is still valid even if not a security bug, and there was quite a bit of discussion about it. However I've not seen a perlbug, nor any recent discussion on the topic, so I'm filing this bug to hopefully provide a definitive record of the status of the issue. Thanks to all who have contributed to this discussion so far! Dominic |
From @rjbsThis ticket has fallen off the radar twice, but I am going to get it back on As mentioned in the ticket, find the original discussion (from 2012!!) here: Here's what we should do: * forbid any leading colons in require or use statements There is going to be some inconsistency either way, and this is the Patches solicited. 1: http://www.nntp.perl.org/group/perl.perl5.porters/2012/07/msg189936.html -- |
|
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Thu Jan 28 14:54:49 2016, perl.p5p@rjbs.manxome.org wrote:
Attached. Improvements to the messages and their documentation welcomed. Tony |
From @tonycoz0001-perl-125833-disallow-leading-colons-on-require-barew.patchFrom ef54951a9db6be28642e783d7d6980d8a96338c3 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 4 Feb 2016 14:35:03 +1100
Subject: [perl #125833] disallow leading colons on require bareword and use
---
pod/perldiag.pod | 16 ++++++++++++++++
t/lib/croak/toke | 12 ++++++++++++
toke.c | 4 ++++
3 files changed, 32 insertions(+)
diff --git a/pod/perldiag.pod b/pod/perldiag.pod
index ba653ba..4c096cd 100644
--- a/pod/perldiag.pod
+++ b/pod/perldiag.pod
@@ -3050,6 +3050,22 @@ L<perlfunc/last>.
that name, not even if you count where you were called from. See
L<perlfunc/last>.
+=item Leading colon not permitted for bareword require
+
+(F) Since C<::> in a bareword require is replaced with C</> a require
+of C<::Foo> would attempt to load F</Foo.pm>, which can be surprising.
+
+If you do need to load a module from an absolute path, specify the
+path as a string literal, eg:
+
+ require "/Foo.pm";
+
+=item Leading colon not permitted for use module name
+
+(F) Since C<::> in a module name for C<use> is replaced with C</> a
+C<use ::Foo> would attempt to load F</Foo.pm>, which can be
+surprising.
+
=item leaving effective %s failed
(F) While under the C<use filetest> pragma, switching the real and
diff --git a/t/lib/croak/toke b/t/lib/croak/toke
index 18dfa24..1b53743 100644
--- a/t/lib/croak/toke
+++ b/t/lib/croak/toke
@@ -302,3 +302,15 @@ Execution of - aborted due to compilation errors.
BEGIN <>
EXPECT
Illegal declaration of subroutine BEGIN at - line 1.
+########
+# NAME use ::Foo [perl #125833]
+use ::Foo;
+EXPECT
+Leading colon not permitted for use module name at - line 1, at end of line
+BEGIN not safe after errors--compilation aborted at - line 1.
+########
+# NAME require ::Foo [perl #125833]
+require ::Foo;
+EXPECT
+Leading colon not permitted for bareword require at - line 1, at end of line
+Execution of - aborted due to compilation errors.
diff --git a/toke.c b/toke.c
index 4a67857..3ca2254 100644
--- a/toke.c
+++ b/toke.c
@@ -4402,6 +4402,8 @@ S_tokenize_use(pTHX_ int is_use, char *s) {
}
else {
s = force_word(s,WORD,FALSE,TRUE);
+ if (*PL_tokenbuf == ':')
+ yyerror_pv("Leading colon not permitted for use module name", 0);
s = force_version(s, FALSE);
}
pl_yylval.ival = is_use;
@@ -8020,6 +8022,8 @@ Perl_yylex(pTHX)
GV_ADD | (UTF ? SVf_UTF8 : 0));
else if (*s == '<')
yyerror("<> at require-statement should be quotes");
+ if (*PL_tokenbuf == ':')
+ yyerror_pv("Leading colon not permitted for bareword require", 0);
}
if (orig_keyword == KEY_require) {
orig_keyword = 0;
--
2.1.4
|
From @rjbs* Tony Cook via RT <perlbug-followup@perl.org> [2016-02-03T22:36:04]
Thanks! This confused me at first: ~/code/perl5$ ./perl -I lib -e 'require :foo' Oh, it's a label! Well, no change from existing behavior, so okay! :-)
They looked good to me. -- |
From @ap* Ricardo Signes <perl.p5p@rjbs.manxome.org> [2016-02-08 03:30]:
In light of this:
… maybe reword the error message to “leading double colon”. </bikeshed> |
From @tonycozOn Sun Feb 07 19:46:50 2016, aristotle wrote:
Makes sense to me, though I just used '::'. Also switched to yyerror() instead of yyerror_pv(). Tony |
From @tonycoz0001-perl-125833-disallow-leading-colons-on-require-barew.patchFrom b88180ab9cc77343ec75d0a90014a2e2d4da1cd0 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Tue, 9 Feb 2016 10:41:13 +1100
Subject: [perl #125833] disallow leading colons on require bareword and use
---
pod/perldiag.pod | 16 ++++++++++++++++
t/lib/croak/toke | 12 ++++++++++++
toke.c | 4 ++++
3 files changed, 32 insertions(+)
diff --git a/pod/perldiag.pod b/pod/perldiag.pod
index ba653ba..3ea45bf 100644
--- a/pod/perldiag.pod
+++ b/pod/perldiag.pod
@@ -3050,6 +3050,22 @@ L<perlfunc/last>.
that name, not even if you count where you were called from. See
L<perlfunc/last>.
+=item Leading '::' not permitted for bareword require
+
+(F) Since C<::> in a bareword require is replaced with C</> a require
+of C<::Foo> would attempt to load F</Foo.pm>, which can be surprising.
+
+If you do need to load a module from an absolute path, specify the
+path as a string literal, eg:
+
+ require "/Foo.pm";
+
+=item Leading '::' not permitted for use module name
+
+(F) Since C<::> in a module name for C<use> is replaced with C</> a
+C<use ::Foo> would attempt to load F</Foo.pm>, which can be
+surprising.
+
=item leaving effective %s failed
(F) While under the C<use filetest> pragma, switching the real and
diff --git a/t/lib/croak/toke b/t/lib/croak/toke
index 18dfa24..7176390 100644
--- a/t/lib/croak/toke
+++ b/t/lib/croak/toke
@@ -302,3 +302,15 @@ Execution of - aborted due to compilation errors.
BEGIN <>
EXPECT
Illegal declaration of subroutine BEGIN at - line 1.
+########
+# NAME use ::Foo [perl #125833]
+use ::Foo;
+EXPECT
+Leading '::' not permitted for use module name at - line 1, at end of line
+BEGIN not safe after errors--compilation aborted at - line 1.
+########
+# NAME require ::Foo [perl #125833]
+require ::Foo;
+EXPECT
+Leading '::' not permitted for bareword require at - line 1, at end of line
+Execution of - aborted due to compilation errors.
diff --git a/toke.c b/toke.c
index 4a67857..185c9da 100644
--- a/toke.c
+++ b/toke.c
@@ -4402,6 +4402,8 @@ S_tokenize_use(pTHX_ int is_use, char *s) {
}
else {
s = force_word(s,WORD,FALSE,TRUE);
+ if (*PL_tokenbuf == ':')
+ yyerror("Leading '::' not permitted for use module name");
s = force_version(s, FALSE);
}
pl_yylval.ival = is_use;
@@ -8020,6 +8022,8 @@ Perl_yylex(pTHX)
GV_ADD | (UTF ? SVf_UTF8 : 0));
else if (*s == '<')
yyerror("<> at require-statement should be quotes");
+ if (*PL_tokenbuf == ':')
+ yyerror("Leading '::' not permitted for bareword require");
}
if (orig_keyword == KEY_require) {
orig_keyword = 0;
--
2.1.4
|
From @rjbsI've added this to the v5.25.1 blockers. Dave M. proposes an alternate patch in nntp.perl.org/group/perl.perl5.porters/235248 -- |
From @iabynOn Thu, Mar 24, 2016 at 07:08:35PM -0700, Ricardo SIGNES via RT wrote:
Now in blead as 8135bae [MERGE] disallow 'require ::Foo::Bar' etc -- |
|
@iabyn - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#125833 (status was 'resolved')
Searchable as RT125833$
The text was updated successfully, but these errors were encountered: