Exclude working directory from library path (CVE-2016-1238)
Current Perl versions put '.' at the end of the library search path @INC, although this will be fixed in a future Perl release. This means that when software loads an optionally-present module, it will be looked for in the current working directory before giving up. An attacker could use this to execute arbitrary Perl code from ikiwiki's current working directory. Removing '.' from the library search path in Perl is the correct fix for this vulnerability, but is not trivial to do due to backwards-compatibility concerns. Mitigate this (even if ikiwiki is run with a vulnerable Perl version) by explicitly removing '.' from the search path, and instead looking for ikiwiki's own modules relative to the absolute path of the executable when run from the source directory. In tests that specifically want to use the current working directory, use "-I".getcwd instead of "-I." so we use its absolute path, which is immune to the removal of ".".master
Simon McVittie
parent
a6c453606e
commit
4729ff0812
|
|
@ -1,7 +1,8 @@
|
|||
#!/usr/bin/perl
|
||||
no lib '.';
|
||||
use warnings;
|
||||
use strict;
|
||||
use lib '.'; # For use in nonstandard directory, munged by Makefile.
|
||||
use FindBin; use lib $FindBin::Bin; # For use in nonstandard directory, munged by Makefile.
|
||||
use IkiWiki;
|
||||
use IkiWiki::Setup;
|
||||
use Getopt::Long;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
#!/usr/bin/perl
|
||||
no lib '.';
|
||||
use warnings;
|
||||
use strict;
|
||||
use lib '.'; # For use in nonstandard directory, munged by Makefile.
|
||||
use FindBin; use lib $FindBin::Bin; # For use in nonstandard directory, munged by Makefile.
|
||||
use IkiWiki;
|
||||
use IkiWiki::Plugin::comments;
|
||||
use Getopt::Long;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
#!/usr/bin/perl
|
||||
no lib '.';
|
||||
use warnings;
|
||||
use strict;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
#!/usr/bin/perl
|
||||
no lib '.';
|
||||
use warnings;
|
||||
use strict;
|
||||
use lib '.'; # For use in nonstandard directory, munged by Makefile.
|
||||
use FindBin; use lib $FindBin::Bin; # For use in nonstandard directory, munged by Makefile.
|
||||
use IkiWiki;
|
||||
use HTML::Entities;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
#!/usr/bin/perl -t
|
||||
# Add a user to the system wide wikilist.
|
||||
# This script can safely be made suid or put in /etc/sudoers.
|
||||
no lib '.';
|
||||
use warnings;
|
||||
use strict;
|
||||
use English;
|
||||
|
|
|
|||
|
|
@ -1,9 +1,10 @@
|
|||
#!/usr/bin/perl
|
||||
package IkiWiki;
|
||||
|
||||
no lib '.';
|
||||
use warnings;
|
||||
use strict;
|
||||
use lib '.'; # For use in nonstandard directory, munged by Makefile.
|
||||
use FindBin; use lib $FindBin::Bin; # For use in nonstandard directory, munged by Makefile.
|
||||
use IkiWiki 3.00;
|
||||
|
||||
sub usage () {
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ if (/INSTALLDIR_AUTOREPLACE/) {
|
|||
elsif (/VERSION_AUTOREPLACE/) {
|
||||
$_=qq{our \$version="$ver";};
|
||||
}
|
||||
elsif (/^use lib/) {
|
||||
elsif (/^(?:use FindBin; *)?use lib/) {
|
||||
# The idea here is to figure out if the libdir the Makefile.PL
|
||||
# was configured to use is in perl's normal search path.
|
||||
# If not, hard code it into ikiwiki.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
#!/usr/bin/perl
|
||||
use warnings;
|
||||
use strict;
|
||||
use Cwd qw(getcwd);
|
||||
use Test::More;
|
||||
|
||||
my $installed = $ENV{INSTALLED_TESTS};
|
||||
|
|
@ -14,10 +15,10 @@ if ($installed) {
|
|||
else {
|
||||
ok(! system("make -s ikiwiki.out"));
|
||||
ok(! system("make underlay_install DESTDIR=`pwd`/t/tmp/install PREFIX=/usr >/dev/null"));
|
||||
@command = qw(env LC_ALL=C perl -I. ./ikiwiki.out
|
||||
@command = (qw(env LC_ALL=C perl), "-I".getcwd, qw(./ikiwiki.out
|
||||
--underlaydir=t/tmp/install/usr/share/ikiwiki/basewiki
|
||||
--set underlaydirbase=t/tmp/install/usr/share/ikiwiki
|
||||
--templatedir=templates);
|
||||
--templatedir=templates));
|
||||
}
|
||||
|
||||
foreach my $plugin ("", "listdirectives") {
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
#!/usr/bin/perl
|
||||
use warnings;
|
||||
use strict;
|
||||
use Cwd qw(getcwd);
|
||||
use Test::More;
|
||||
use IkiWiki;
|
||||
|
||||
|
|
@ -17,10 +18,10 @@ if ($installed) {
|
|||
}
|
||||
else {
|
||||
ok(! system("make -s ikiwiki.out"));
|
||||
@command = qw(perl -I. ./ikiwiki.out
|
||||
@command = ("perl", "-I".getcwd, qw(./ikiwiki.out
|
||||
--underlaydir=underlays/basewiki
|
||||
--set underlaydirbase=underlays
|
||||
--templatedir=templates);
|
||||
--templatedir=templates));
|
||||
}
|
||||
|
||||
my $comment;
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
# Tests for bugs relating to conflicting files in the srcdir
|
||||
use warnings;
|
||||
use strict;
|
||||
use Cwd qw(getcwd);
|
||||
use Test::More tests => 106;
|
||||
|
||||
my $installed = $ENV{INSTALLED_TESTS};
|
||||
|
|
@ -13,10 +14,10 @@ if ($installed) {
|
|||
}
|
||||
else {
|
||||
ok(! system("make -s ikiwiki.out"));
|
||||
@command = qw(perl -I. ./ikiwiki.out
|
||||
@command = ("perl", "-I".getcwd, qw(./ikiwiki.out
|
||||
--underlaydir=underlays/basewiki
|
||||
--set underlaydirbase=underlays
|
||||
--templatedir=templates);
|
||||
--templatedir=templates));
|
||||
}
|
||||
|
||||
# setup
|
||||
|
|
|
|||
5
t/img.t
5
t/img.t
|
|
@ -13,6 +13,7 @@ package IkiWiki;
|
|||
|
||||
use warnings;
|
||||
use strict;
|
||||
use Cwd qw(getcwd);
|
||||
use Test::More;
|
||||
plan(skip_all => "Image::Magick not available")
|
||||
unless eval q{use Image::Magick; 1};
|
||||
|
|
@ -27,10 +28,10 @@ if ($installed) {
|
|||
}
|
||||
else {
|
||||
ok(! system("make -s ikiwiki.out"));
|
||||
@command = qw(perl -I. ./ikiwiki.out
|
||||
@command = ("perl", "-I".getcwd, qw(./ikiwiki.out
|
||||
--underlaydir=underlays/basewiki
|
||||
--set underlaydirbase=underlays
|
||||
--templatedir=templates);
|
||||
--templatedir=templates));
|
||||
}
|
||||
|
||||
push @command, qw(--set usedirs=0 --plugin img t/tmp/in t/tmp/out --verbose);
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
#!/usr/bin/perl
|
||||
use warnings;
|
||||
use strict;
|
||||
use Cwd qw(getcwd);
|
||||
use Test::More;
|
||||
use IkiWiki;
|
||||
|
||||
|
|
@ -12,10 +13,10 @@ if ($installed) {
|
|||
}
|
||||
else {
|
||||
ok(! system("make -s ikiwiki.out"));
|
||||
@command = qw(perl -I. ./ikiwiki.out
|
||||
@command = ("perl", "-I".getcwd, qw(./ikiwiki.out
|
||||
--underlaydir=underlays/basewiki
|
||||
--set underlaydirbase=underlays
|
||||
--templatedir=templates);
|
||||
--templatedir=templates));
|
||||
}
|
||||
|
||||
push @command, qw(--set usedirs=0 --plugin inline
|
||||
|
|
|
|||
5
t/meta.t
5
t/meta.t
|
|
@ -1,6 +1,7 @@
|
|||
#!/usr/bin/perl
|
||||
use warnings;
|
||||
use strict;
|
||||
use Cwd qw(getcwd);
|
||||
use Test::More;
|
||||
use IkiWiki;
|
||||
|
||||
|
|
@ -16,10 +17,10 @@ if ($installed) {
|
|||
}
|
||||
else {
|
||||
ok(! system("make -s ikiwiki.out"));
|
||||
@command = qw(perl -I. ./ikiwiki.out
|
||||
@command = ("perl", "-I".getcwd, qw(./ikiwiki.out
|
||||
--underlaydir=underlays/basewiki
|
||||
--set underlaydirbase=underlays
|
||||
--templatedir=templates);
|
||||
--templatedir=templates));
|
||||
}
|
||||
|
||||
push @command, qw(--plugin meta --disable-plugin htmlscrubber);
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
#!/usr/bin/perl
|
||||
use warnings;
|
||||
use strict;
|
||||
use Cwd qw(getcwd);
|
||||
use Test::More;
|
||||
|
||||
my $installed = $ENV{INSTALLED_TESTS};
|
||||
|
|
@ -11,10 +12,10 @@ if ($installed) {
|
|||
}
|
||||
else {
|
||||
ok(! system("make -s ikiwiki.out"));
|
||||
@command = qw(perl -I. ./ikiwiki.out
|
||||
@command = ("perl", "-I".getcwd, qw(./ikiwiki.out
|
||||
--underlaydir=underlays/basewiki
|
||||
--set underlaydirbase=underlays
|
||||
--templatedir=templates);
|
||||
--templatedir=templates));
|
||||
}
|
||||
|
||||
ok(! system("rm -rf t/tmp"));
|
||||
|
|
|
|||
|
|
@ -25,10 +25,10 @@ if ($installed) {
|
|||
}
|
||||
else {
|
||||
ok(! system("make -s ikiwiki.out"));
|
||||
@base_command = qw(perl -I. ./ikiwiki.out
|
||||
@base_command = ("perl", "-I".getcwd, qw(./ikiwiki.out
|
||||
--underlaydir=underlays/basewiki
|
||||
--set underlaydirbase=underlays
|
||||
--templatedir=templates);
|
||||
--templatedir=templates));
|
||||
}
|
||||
|
||||
my $tmp = 't/tmp';
|
||||
|
|
|
|||
|
|
@ -24,10 +24,10 @@ if ($installed) {
|
|||
}
|
||||
else {
|
||||
ok(! system("make -s ikiwiki.out"));
|
||||
@command = qw(perl -I. ./ikiwiki.out
|
||||
@command = ("perl", "-I".getcwd, qw(./ikiwiki.out
|
||||
--underlaydir=underlays/basewiki
|
||||
--set underlaydirbase=underlays
|
||||
--templatedir=templates);
|
||||
--templatedir=templates));
|
||||
}
|
||||
|
||||
sub parse_cgi_content {
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
#!/usr/bin/perl
|
||||
use warnings;
|
||||
use strict;
|
||||
use Cwd qw(getcwd);
|
||||
use Test::More;
|
||||
use IkiWiki;
|
||||
|
||||
|
|
@ -35,10 +36,10 @@ if ($installed) {
|
|||
}
|
||||
else {
|
||||
ok(! system("make -s ikiwiki.out"));
|
||||
@command = qw(perl -I. ./ikiwiki.out
|
||||
@command = ("perl", "-I".getcwd, qw(./ikiwiki.out
|
||||
--underlaydir=underlays/basewiki
|
||||
--set underlaydirbase=underlays
|
||||
--templatedir=templates);
|
||||
--templatedir=templates));
|
||||
}
|
||||
|
||||
push @command, qw(--set usedirs=0 --plugin trail --plugin inline
|
||||
|
|
|
|||
|
|
@ -22,10 +22,11 @@ if ($installed) {
|
|||
}
|
||||
else {
|
||||
ok(! system("make -s ikiwiki.out"));
|
||||
@command = qw(env PERL5LIB=t/tmp:blib/lib:blib/arch perl -I. ./ikiwiki.out
|
||||
@command = (qw(env PERL5LIB=t/tmp:blib/lib:blib/arch perl),
|
||||
"-I".getcwd, qw(./ikiwiki.out
|
||||
--underlaydir=underlays/basewiki
|
||||
--set underlaydirbase=underlays
|
||||
--templatedir=templates);
|
||||
--templatedir=templates));
|
||||
}
|
||||
|
||||
writefile("test.setup", "t/tmp", <<EOF
|
||||
|
|
|
|||
Loading…
Reference in New Issue