Skip Menu |
Report information
Id: 131079
Status: resolved
Priority: 0/
Queue: perl6

Owner: Nobody
Requestors: lloyd.fourn [at] gmail.com
Cc:
AdminCc:

Severity: (no value)
Tag: testneeded
Platform: (no value)
Patch Status: (no value)
VM: (no value)



To: "rakudobug [...] perl.org" <rakudobug [...] perl.org>
From: Lloyd Fournier <lloyd.fourn [...] gmail.com>
Subject: [SEC] regex injection allows arbitrary execution using dynamic method lookup
Date: Thu, 30 Mar 2017 12:40:27 +0000
Download (untitled) / with headers
text/plain 196b
my $regex-from-user = '{ shell "/bin/sh" }';
try say "foo" ~~ /<$regex-from-user>/; # won't work
$regex-from-user = '<::(shell "/bin/sh")>';
try say "foo" ~~ /<$regex-from-user>/; # you got owned


Download (untitled) / with headers
text/plain 330b
On Thu, 30 Mar 2017 05:41:29 -0700, lloyd.fourn@gmail.com wrote: Show quoted text
> my $regex-from-user = '{ shell "/bin/sh" }'; > try say "foo" ~~ /<$regex-from-user>/; # won't work > $regex-from-user = '<::(shell "/bin/sh")>'; > try say "foo" ~~ /<$regex-from-user>/; # you got owned
rakudo PR 1168 has been submitted to deal with this issue.
Download (untitled) / with headers
text/plain 538b
On Sat, 23 Sep 2017 06:59:18 -0700, bri@abrij.org wrote: Show quoted text
> On Thu, 30 Mar 2017 05:41:29 -0700, lloyd.fourn@gmail.com wrote:
> > my $regex-from-user = '{ shell "/bin/sh" }'; > > try say "foo" ~~ /<$regex-from-user>/; # won't work > > $regex-from-user = '<::(shell "/bin/sh")>'; > > try say "foo" ~~ /<$regex-from-user>/; # you got owned
> > > rakudo PR 1168 has been submitted to deal with this issue.
That patch is in now, but Zoffix pointed out that these cases still fall through the cracks. See the PR notes for ongoing progress.
Download (untitled) / with headers
text/plain 199b
On Fri, 29 Sep 2017 12:05:52 -0700, cpan@zoffix.com wrote: Show quoted text
Tests now merged into roast via commit 6ae5f8ee2, so resolving this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org