On Wed, Dec 05, 2012 at 10:51:47AM -0500, Ricardo Signes wrote:
> > Locale::Maketext is a core l10n library that expands templates found in> strings.> > Two problems were found, reported, and patched-for by Brian Carlson of cPanel,> and these fixes are now in blead and on the CPAN.> > The commit in question is> http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8> > The flaws are:> > * in a [method,x,y,z] template, the method could be a fully-qualified name> * template expansion did not properly quote metacharacters, allowing> code injection through a malicious template> > Please upgrade your Locale::Maketext, especially if you allow user-provided> templates.
Thanks for this! I wondered (and the question has arised within the
Debian project) whether anyone might be relying on the previous
behaviour? Have you been able to do any assessment of this?
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)