aboutsummaryrefslogtreecommitdiff
path: root/t/inline.t
diff options
context:
space:
mode:
authorSimon McVittie <smcv@debian.org>2016-07-28 09:50:09 +0100
committerSimon McVittie <smcv@debian.org>2016-07-28 09:50:21 +0100
commit4729ff0812c1f3d06d98524e2fec232d3bf90513 (patch)
treefcb8ace67ba164a5463ba23b978baaf058b5f897 /t/inline.t
parenta6c453606ead56312533e0d494e9aaebe6b1e57d (diff)
downloadikiwiki-4729ff0812c1f3d06d98524e2fec232d3bf90513.tar
ikiwiki-4729ff0812c1f3d06d98524e2fec232d3bf90513.tar.gz
Exclude working directory from library path (CVE-2016-1238)
Current Perl versions put '.' at the end of the library search path @INC, although this will be fixed in a future Perl release. This means that when software loads an optionally-present module, it will be looked for in the current working directory before giving up. An attacker could use this to execute arbitrary Perl code from ikiwiki's current working directory. Removing '.' from the library search path in Perl is the correct fix for this vulnerability, but is not trivial to do due to backwards-compatibility concerns. Mitigate this (even if ikiwiki is run with a vulnerable Perl version) by explicitly removing '.' from the search path, and instead looking for ikiwiki's own modules relative to the absolute path of the executable when run from the source directory. In tests that specifically want to use the current working directory, use "-I".getcwd instead of "-I." so we use its absolute path, which is immune to the removal of ".".
Diffstat (limited to 't/inline.t')
-rwxr-xr-xt/inline.t5
1 files changed, 3 insertions, 2 deletions
diff --git a/t/inline.t b/t/inline.t
index 8c0f1c35a..3a4450365 100755
--- a/t/inline.t
+++ b/t/inline.t
@@ -1,6 +1,7 @@
#!/usr/bin/perl
use warnings;
use strict;
+use Cwd qw(getcwd);
use Test::More;
use IkiWiki;
@@ -12,10 +13,10 @@ if ($installed) {
}
else {
ok(! system("make -s ikiwiki.out"));
- @command = qw(perl -I. ./ikiwiki.out
+ @command = ("perl", "-I".getcwd, qw(./ikiwiki.out
--underlaydir=underlays/basewiki
--set underlaydirbase=underlays
- --templatedir=templates);
+ --templatedir=templates));
}
push @command, qw(--set usedirs=0 --plugin inline