Skip Menu |
Report information
Id: 128528
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: sprout <sprout [at] cpan.org>
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)



Date: Sun, 3 Jul 2016 11:24:22 -0700
To: perl5-security-report [...] perl.org
From: Father Chrysostomos <sprout [...] cpan.org>
Subject: XSLoader may load relative paths
Download (untitled) / with headers
text/plain 281b
See <https://rt.cpan.org/Ticket/Display.html?id=115808>. I have already pushed a fix for this as 08e3451d7. If the current CPAN maintainer of XSLoader is unavailable, then what is our next step? Can someone else make a release? Should I go ahead and push my fix to maint-5.2x?
RT-Send-CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
Download (untitled) / with headers
text/plain 694b
On Sun Jul 03 11:24:54 2016, sprout wrote: Show quoted text
> See <https://rt.cpan.org/Ticket/Display.html?id=115808>. I have > already pushed a fix for this as 08e3451d7. If the current CPAN > maintainer of XSLoader is unavailable, then what is our next step? > Can someone else make a release? > > Should I go ahead and push my fix to maint-5.2x?
+ # Does this look like a relative path? + if ($modlibname !~ m|^[\\/]|) { + # Someone may have a #line directive that changes the file name, or Absolute paths might not start with a / or \ on Win32, VMS and (I think) AmigaOS. Unfortunately loading File::Spec calls back into XSLoader, so you can't use File::Spec->file_name_is_absolute Tony
Date: Sun, 3 Jul 2016 22:28:52 -0500
From: "Craig A. Berry" <craig.a.berry [...] gmail.com>
Subject: Re: [perl #128528] XSLoader may load relative paths
CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
To: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 1.4k
On Sun, Jul 3, 2016 at 7:11 PM, Tony Cook via RT <perl5-security-report@perl.org> wrote: Show quoted text
> On Sun Jul 03 11:24:54 2016, sprout wrote:
>> See <https://rt.cpan.org/Ticket/Display.html?id=115808>. I have >> already pushed a fix for this as 08e3451d7. If the current CPAN >> maintainer of XSLoader is unavailable, then what is our next step? >> Can someone else make a release? >> >> Should I go ahead and push my fix to maint-5.2x?
> > > + # Does this look like a relative path? > + if ($modlibname !~ m|^[\\/]|) { > + # Someone may have a #line directive that changes the file name, or > > Absolute paths might not start with a / or \ on Win32, VMS and (I think) AmigaOS. > > Unfortunately loading File::Spec calls back into XSLoader, so you can't use File::Spec->file_name_is_absolute
The package filenames returned by caller() as well as @INC entries are stored in Unix format on VMS. If XSLoader::load is called from somewhere other than a package, then it's possible to get a filename from caller() in native syntax, but I'm not sure why anyone would do that. So I think we're ok there. On Windows, it looks like both @INC and the package filenames have forward slashes, but they do still have the device name at the beginning of absolute paths, so you have C:/Perl/lib/... etc. So I believe relative paths would fail to be identified as such by the current code. Do we really have a problem with relative paths as such, or do we have a problem with package filenames that begin with "(eval" specifically?
Date: Sun, 3 Jul 2016 22:38:52 -0500
CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
To: perl5-security-report [...] perl.org
From: "Craig A. Berry" <craig.a.berry [...] gmail.com>
Subject: Re: [perl #128528] XSLoader may load relative paths
Download (untitled) / with headers
text/plain 459b
On Sun, Jul 3, 2016 at 10:28 PM, Craig A. Berry <craig.a.berry@gmail.com> wrote: Show quoted text
> On Windows, it looks like both @INC and the package filenames have > forward slashes, but they do still have the device name at the > beginning of absolute paths, so you have C:/Perl/lib/... etc. So I > believe relative paths would fail to be identified as such by the > current code.
I think I said that backwards -- it's absolute paths that will be considered relative.
Date: Mon, 4 Jul 2016 09:19:29 +0300
To: perl5-security-report [...] perl.org
From: Jarkko Hietaniemi <jhi [...] iki.fi>
Subject: Re: [perl #128528] XSLoader may load relative paths
Download (untitled) / with headers
text/plain 1.1k
On Monday-201607-04 3:11, Tony Cook via RT wrote: Show quoted text
> On Sun Jul 03 11:24:54 2016, sprout wrote:
>> See <https://rt.cpan.org/Ticket/Display.html?id=115808>. I have >> already pushed a fix for this as 08e3451d7. If the current CPAN >> maintainer of XSLoader is unavailable, then what is our next step? >> Can someone else make a release? >> >> Should I go ahead and push my fix to maint-5.2x?
> > > + # Does this look like a relative path? > + if ($modlibname !~ m|^[\\/]|) { > + # Someone may have a #line directive that changes the file name, or > > Absolute paths might not start with a / or \ on Win32, VMS and (I think) AmigaOS.
IIUC yes for AmigaOS, it uses the same kind of "multi-root" (volume) syntax as Win32 or VMS. Would something like m{^\w+:[/\]} work for those? Show quoted text
> Unfortunately loading File::Spec calls back into XSLoader, so you
can't use File::Spec->file_name_is_absolute Which of course feels kind of stupid. Cwd, I am guessing without looking. (Or maybe some Win32 things?) (Cwd being an XS has always been kind of strange, it leads into silly dependencies. Being core/builtin would make more sense.)
Date: Mon, 4 Jul 2016 18:56:41 +0200
CC: perl5-security-report [...] perl.org
To: Jarkko Hietaniemi <jhi [...] iki.fi>
From: demerphq <demerphq [...] gmail.com>
Subject: Re: [perl #128528] XSLoader may load relative paths
Download (untitled) / with headers
text/plain 1.2k


On 4 Jul 2016 02:19, "Jarkko Hietaniemi" <jhi@iki.fi> wrote:
Show quoted text

>
> On Monday-201607-04 3:11, Tony Cook via RT wrote:
>>
>> On Sun Jul 03 11:24:54 2016, sprout wrote:
>>>
>>> See <https://rt.cpan.org/Ticket/Display.html?id=115808>.  I have
>>> already pushed a fix for this as 08e3451d7.  If the current CPAN
>>> maintainer of XSLoader is unavailable, then what is our next step?
>>> Can someone else make a release?
>>>
>>> Should I go ahead and push my fix to maint-5.2x?
>>
>>
>>
>> +    # Does this look like a relative path?
>> +    if ($modlibname !~ m|^[\\/]|) {
>> +        # Someone may have a #line directive that changes the file name, or
>>
>> Absolute paths might not start with a / or \ on Win32, VMS and (I think) AmigaOS.
>
>
> IIUC yes for AmigaOS, it uses the same kind of "multi-root" (volume)
> syntax as Win32 or VMS.  Would something like m{^\w+:[/\]} work for
> those?
>
>
> > Unfortunately loading File::Spec calls back into XSLoader, so you can't use File::Spec->file_name_is_absolute
>
> Which of course feels kind of stupid.  Cwd, I am guessing without
> looking.  (Or maybe some Win32 things?)
>
> (Cwd being an XS has always been kind of strange, it leads into
> silly dependencies.  Being core/builtin would make more sense

++ to that...

>
Show quoted text

>
>
>
>

Date: Mon, 4 Jul 2016 12:50:43 -0700
To: perl5-security-report [...] perl.org
From: Father Chrysostomos <sprout [...] cpan.org>
Subject: Re: [perl #128528] XSLoader may load relative paths
Download (untitled) / with headers
text/plain 1.4k
On Jul 4, 2016, at 9:57 AM, "yves orton via RT" <perl5-security-report@perl.org> wrote: Show quoted text
> On 4 Jul 2016 02:19, "Jarkko Hietaniemi" <jhi@iki.fi> wrote:
>> >> On Monday-201607-04 3:11, Tony Cook via RT wrote:
>>> >>> On Sun Jul 03 11:24:54 2016, sprout wrote:
>>>> >>>> See <https://rt.cpan.org/Ticket/Display.html?id=115808>. I have >>>> already pushed a fix for this as 08e3451d7. If the current CPAN >>>> maintainer of XSLoader is unavailable, then what is our next step? >>>> Can someone else make a release? >>>> >>>> Should I go ahead and push my fix to maint-5.2x?
>>> >>> >>> >>> + # Does this look like a relative path? >>> + if ($modlibname !~ m|^[\\/]|) { >>> + # Someone may have a #line directive that changes the file
> name, or
>>> >>> Absolute paths might not start with a / or \ on Win32, VMS and (I think)
> AmigaOS.
>> >> >> IIUC yes for AmigaOS, it uses the same kind of "multi-root" (volume) >> syntax as Win32 or VMS. Would something like m{^\w+:[/\]} work for >> those? >> >>
>>> Unfortunately loading File::Spec calls back into XSLoader, so you can't
> use File::Spec->file_name_is_absolute
I just looked through all the various implementations of file_name_is_absolute and came up with commit v5.25.2-95-ga651dcd, now pushed to blead. As I pointed out in the commit message, it’s not the end of the world if we mistakenly view some paths as relative, but it will be slightly slower.
Date: Mon, 4 Jul 2016 12:51:48 -0700
To: perl5-security-report [...] perl.org
From: Father Chrysostomos <sprout [...] cpan.org>
Subject: Re: [perl #128528] XSLoader may load relative paths
Download (untitled) / with headers
text/plain 518b
On Jul 3, 2016, at 8:29 PM, "Craig Berry via RT" <perl5-security-report@perl.org> wrote: Show quoted text
> Do we really have a problem with relative paths as such, or do we have > a problem with package filenames that begin with "(eval" specifically?
‘(eval’ specifically, but that just reveals the problem. There are numerous reasons why one might use #line directives to change the file name. XSLoader’s documentation does not warn users about it, and, quite frankly, I don’t think users should have to worry about it.
RT-Send-CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
Download (untitled) / with headers
text/plain 441b
On Sun, 03 Jul 2016 11:24:54 -0700, sprout wrote: Show quoted text
> See <https://rt.cpan.org/Ticket/Display.html?id=115808>. I have > already pushed a fix for this as 08e3451d7. If the current CPAN > maintainer of XSLoader is unavailable, then what is our next step? > Can someone else make a release? > > Should I go ahead and push my fix to maint-5.2x?
This is fixed in blead and on CPAN - does it need to be fixed anywhere else to resolve this? Tony
Date: Tue, 21 Feb 2017 10:31:01 +0000
CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
From: Dave Mitchell <davem [...] iabyn.com>
Subject: Re: [perl #128528] XSLoader may load relative paths
To: Tony Cook via RT <perl5-security-report [...] perl.org>
Download (untitled) / with headers
text/plain 1010b
On Sun, Jan 22, 2017 at 08:19:29PM -0800, Tony Cook via RT wrote: Show quoted text
> On Sun, 03 Jul 2016 11:24:54 -0700, sprout wrote:
> > See <https://rt.cpan.org/Ticket/Display.html?id=115808>. I have > > already pushed a fix for this as 08e3451d7. If the current CPAN > > maintainer of XSLoader is unavailable, then what is our next step? > > Can someone else make a release? > > > > Should I go ahead and push my fix to maint-5.2x?
> > This is fixed in blead and on CPAN - does it need to be fixed anywhere else > to resolve this?
The two XSloader fixes (don't load relative paths, and recognize drive letters) have been cherry-picked into both maint-5.24 and maint-5.22. So I think this ticket can be closed. I also think it can be moved to the public queue, as the XS loader issue has been public since last July. -- The warp engines start playing up a bit, but seem to sort themselves out after a while without any intervention from boy genius Wesley Crusher. -- Things That Never Happen in "Star Trek" #17
To: Tony Cook via RT <perl5-security-report [...] perl.org>
Subject: Re: [perl #128528] XSLoader may load relative paths
CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
Date: Mon, 27 Feb 2017 12:28:38 +0000
From: Dave Mitchell <davem [...] iabyn.com>
Download (untitled) / with headers
text/plain 1005b
On Tue, Feb 21, 2017 at 10:31:01AM +0000, Dave Mitchell wrote: Show quoted text
> On Sun, Jan 22, 2017 at 08:19:29PM -0800, Tony Cook via RT wrote:
> > On Sun, 03 Jul 2016 11:24:54 -0700, sprout wrote:
> > > See <https://rt.cpan.org/Ticket/Display.html?id=115808>. I have > > > already pushed a fix for this as 08e3451d7. If the current CPAN > > > maintainer of XSLoader is unavailable, then what is our next step? > > > Can someone else make a release? > > > > > > Should I go ahead and push my fix to maint-5.2x?
> > > > This is fixed in blead and on CPAN - does it need to be fixed anywhere else > > to resolve this?
> > The two XSloader fixes (don't load relative paths, and recognize drive > letters) have been cherry-picked into both maint-5.24 and maint-5.22. > So I think this ticket can be closed. > > I also think it can be moved to the public queue, as the XS loader issue > has been public since last July.
which I am now doing. -- That he said that that that that is is is debatable, is debatable.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org