In perl.git, the branch blead has been updated <http://perl5.git.perl.org/perl.git/commitdiff/1279d9234c7e7c0c0cc4d980396201696bace825?hp=38ab612acfe3528276f4a4e63c523d193ea047b8>
- Log ----------------------------------------------------------------- commit 1279d9234c7e7c0c0cc4d980396201696bace825 Author: Chris 'BinGOs' Williams <[email protected]> Date: Thu Jul 28 15:43:19 2016 +0100 Update Module-Load-Conditional to CPAN version 0.66 [DELTA] 0.66 Wed Jul 27 08:22:53 BST 2016 * Add FORCE_SAFE_INC option to fix CVE-2016-1238 ----------------------------------------------------------------------- Summary of changes: Porting/Maintainers.pl | 2 +- .../lib/Module/Load/Conditional.pm | 22 ++++++++++++++++++++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/Porting/Maintainers.pl b/Porting/Maintainers.pl index 7c809ee..9cbce9f 100755 --- a/Porting/Maintainers.pl +++ b/Porting/Maintainers.pl @@ -929,7 +929,7 @@ use File::Glob qw(:case); }, 'Module::Load::Conditional' => { - 'DISTRIBUTION' => 'BINGOS/Module-Load-Conditional-0.64.tar.gz', + 'DISTRIBUTION' => 'BINGOS/Module-Load-Conditional-0.66.tar.gz', 'FILES' => q[cpan/Module-Load-Conditional], }, diff --git a/cpan/Module-Load-Conditional/lib/Module/Load/Conditional.pm b/cpan/Module-Load-Conditional/lib/Module/Load/Conditional.pm index ace55ad..592bfbb 100644 --- a/cpan/Module-Load-Conditional/lib/Module/Load/Conditional.pm +++ b/cpan/Module-Load-Conditional/lib/Module/Load/Conditional.pm @@ -19,14 +19,15 @@ use constant QUOTE => do { ON_WIN32 ? q["] : q['] }; BEGIN { use vars qw[ $VERSION @ISA $VERBOSE $CACHE @EXPORT_OK $DEPRECATED - $FIND_VERSION $ERROR $CHECK_INC_HASH]; + $FIND_VERSION $ERROR $CHECK_INC_HASH $FORCE_SAFE_INC ]; use Exporter; @ISA = qw[Exporter]; - $VERSION = '0.64'; + $VERSION = '0.66'; $VERBOSE = 0; $DEPRECATED = 0; $FIND_VERSION = 1; $CHECK_INC_HASH = 0; + $FORCE_SAFE_INC = 0; @EXPORT_OK = qw[check_install can_load requires]; } @@ -201,6 +202,9 @@ sub check_install { ### so scan the dirs unless( $filename ) { + local @INC = @INC; + pop @INC if $FORCE_SAFE_INC && $INC[-1] eq '.'; + DIR: for my $dir ( @INC ) { my $fh; @@ -307,6 +311,8 @@ sub check_install { } if ( $DEPRECATED and "$]" >= 5.011 ) { + local @INC = @INC; + pop @INC if $INC[-1] eq '.'; require Module::CoreList; require Config; @@ -444,6 +450,9 @@ sub can_load { if ( $CACHE->{$mod}->{uptodate} ) { + local @INC = @INC; + pop @INC if $FORCE_SAFE_INC && $INC[-1] eq '.'; + if ( $args->{autoload} ) { my $who = (caller())[0]; eval { autoload_remote $who, $mod }; @@ -509,6 +518,9 @@ sub requires { return undef; } + local @INC = @INC; + pop @INC if $FORCE_SAFE_INC && $INC[-1] eq '.'; + my $lib = join " ", map { qq["-I$_"] } @INC; my $oneliner = 'print(join(qq[\n],map{qq[BONG=$_]}keys(%INC)),qq[\n])'; my $cmd = join '', qq["$^X" $lib -M$who -e], QUOTE, $oneliner, QUOTE; @@ -562,6 +574,12 @@ you. The default is 0; +=head2 $Module::Load::Conditional::FORCE_SAFE_INC + +This controls whether C<Module::Load::Conditional> sanitises C<@INC> +by removing "C<.>". The current default setting is C<0>, but this +may change in a future release. + =head2 $Module::Load::Conditional::CACHE This holds the cache of the C<can_load> function. If you explicitly -- Perl5 Master Repository
