Robert Norris (via RT) wrote:
> A Safe compartment with the default operators in place has read access
> to any file that the calling process has permission to access.
>
> ----------
> #!/usr/bin/perl
>
> use Safe;
>
> my $c = Safe->new;
> my $x = $c->reval(q(local (@ARGV, $/) = '/etc/passwd'; <>));
> print $x;
> ----------
>
> The "workaround" is to disable :base_io (which I should have done
> anyway).
>
> Now this isn't a bug as such (the documentation does state that :base_io
> allows filehandle access), but it certainly wasn't what I expected. It
> allows one to (partially) get around calls like open() not being
> available, which is all malicious code may need to read files that
> should remain hidden.
>
> I'll leave it up to you to decide whether or not this is actually an
> issue. My feeling is that the documentation needs to be updated, and
> access to <> needs to be blocked by default.
That can't be done. Safe operates on operation level, and doesn't check
their arguments.
> If that can't be done,
> perhaps :base_io needs to be removed from the default operators
> altogether.
I just did that in bleadperl with change 25204 :
http://public.activestate.com/cgi-bin/perlbrowse?patch=25204
This is backwards-incompatible, but the Opcode docs state that no
compatibility is to be expected, and anyway I prefer security to not
breaking things :)
Sidenote: it would be difficult to backport Opcode to CPAN, since it's
extremely dependent on the perl interpreter itself.
--
Fix in six / Fix in six / Much more than just aesthetics
