41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
From 2630498e13ce17ef601f532e4ecec5c0489c72b5 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
Date: Tue, 18 Oct 2016 17:59:58 +0200
|
|
Subject: [PATCH] Do not search cpan -j file in @INC
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
After removing "." from @INC (CVE-2016-1238), loading explictly
|
|
specified configuration file with cpan -j using relative path failed.
|
|
This is because relative paths are subject to @INC search within the
|
|
"require" function.
|
|
|
|
Because cpan already checks the file exists before loading it, it's
|
|
clear the intention is to load only that file (relative to current
|
|
working directory).
|
|
|
|
Therefore this patch turnes the configuration file name into into
|
|
absolute path before loading it by "require" function.
|
|
|
|
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
---
|
|
lib/App/Cpan.pm | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
|
|
index c654c2c..0f42913 100644
|
|
--- a/lib/App/Cpan.pm
|
|
+++ b/lib/App/Cpan.pm
|
|
@@ -1100,6 +1100,7 @@ sub _load_config # -j
|
|
delete $INC{'CPAN/Config.pm'};
|
|
croak( "Config file [$file] does not exist!\n" ) unless -e $file;
|
|
|
|
+ $file = File::Spec->rel2abs($file);
|
|
my $rc = eval "require '$file'";
|
|
|
|
# CPAN::HandleConfig::require_myconfig_or_config looks for this
|
|
--
|
|
2.7.4
|
|
|