Re: [Mimedefang] mimedefang.pl spilling "Use of inherited AUTOLOAD for non-method" errors

Thu, 17 Feb 2011 08:47:16 -0800 

On 2011 Feb 17, at 16:16 , David F. Skoll wrote:
> Here's a patch against my git version of mimedefang.pl.in.  Not sure
> how cleanly it will apply to the released or beta version, but if people
> could try it out, I'd appreciate it.

Two small remarks:
> +        sub _fac_to_num
> +     {
> +             my ($thing) = @_;
> +             return undef if exists $blacklisted{$thing};
> +             $thing = $special{$thing} if exists $special{$thing};
> +             $thing = 'LOG_' . uc($thing);
> +             return eval "Unix::Syslog::$thing()";
>       }

You removed the check against $EXPORT_TAGS{macros}. This means "$thing" can now 
be anything that is fed to syslog(), and passed relatively undamaged to eval. I 
can imagine a program taking settings from a config file, including a syslog 
facility. You could potentially set a facility like: 
"local0;/(((.)*.\1)*.\2)*!/", which would be passed into the eval, leading to 
the evaluation of the regex... which (this is just an example) could be 
constructed to at least take a Lot of time, or memory (exploiting this is a bit 
tricky because of the uc() and the split on /\|/ earlier, but perl is powerful 
enough that you can probably do anything. The B module, especially B::CV calls, 
come to mind).

If you don't want to test against the existing macro's, I'd suggest at least 
testing for word-ness: return undef unless $thing =~ /^\w+$/;

Second (and this is directed to Marcus Harnisch, author of Unix::Syslog)

The 'best' fix is obviously in Unix::Syslog. It shouldn't default to the 
inherited AUTOLOAD (from the DynaLoader). Something like this in Unix::Syslog 
package should catch it:

sub AUTOLOAD {
    my $constant = $AUTOLOAD;
    $constant =~ s/.*:://;
    die "Undefined constant $constant"; # or possibly croak()
}

(Marcus: see the thread that starts here for the background: 
http://lists.roaringpenguin.com/pipermail/mimedefang/2011-February/036098.html )

-- 
Jan-Pieter Cornet <[email protected]>
Systeembeheer XS4ALL Internet bv
Internet: www.xs4all.nl
Contact: www.xs4all.nl/contact

_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Reply via email to