Re: security notice: Locale::Maketext

On 12/05/2012 07:51 AM, Ricardo Signes wrote:
> Locale::Maketext is a core l10n library that expands templates found in> strings.> > Two problems were found, reported, and patched-for by Brian Carlson of cPanel,> and these fixes are now in blead and on the CPAN.> > The commit in question is> http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8> > The flaws are:> > * in a [method,x,y,z] template, the method could be a fully-qualified name> * template expansion did not properly quote metacharacters, allowing>   code injection through a malicious template> > Please upgrade your Locale::Maketext, especially if you allow user-provided> templates.

The commit mentioned above prevents cross-package method calls, but
still leaves any of the methods in the Locale::Maketext subclass wide
open.  This makes it easy for a security problem to crop up again.

For example: _try_use is a near miss.  If, through seemingly harmless
cleanup, it's ever made into a method, it will allow arbitrary eval via
loc-strings.

Another example: User provided loc-strings have full access to
CORE::sprintf() via Locale::Maketext::sprintf(), and generally
user-provided format strings are a red flag (although not necessarily
exploitable in the current maketext implementation).

Existing subclasses, though not Perl's responsibility, may already have
viable attack vectors via added methods.  Upgrading Locale::Maketext
won't fix those, and there should probably be some doc warning subclass
authors (i.e. any Locale::Maketext user :) about it so that they don't
think upgrading is the complete fix.

Thomas