On 2011 Feb 17, at 16:16 , David F. Skoll wrote: > Here's a patch against my git version of mimedefang.pl.in. Not sure > how cleanly it will apply to the released or beta version, but if people > could try it out, I'd appreciate it.
Two small remarks: > + sub _fac_to_num > + { > + my ($thing) = @_; > + return undef if exists $blacklisted{$thing}; > + $thing = $special{$thing} if exists $special{$thing}; > + $thing = 'LOG_' . uc($thing); > + return eval "Unix::Syslog::$thing()"; > } You removed the check against $EXPORT_TAGS{macros}. This means "$thing" can now be anything that is fed to syslog(), and passed relatively undamaged to eval. I can imagine a program taking settings from a config file, including a syslog facility. You could potentially set a facility like: "local0;/(((.)*.\1)*.\2)*!/", which would be passed into the eval, leading to the evaluation of the regex... which (this is just an example) could be constructed to at least take a Lot of time, or memory (exploiting this is a bit tricky because of the uc() and the split on /\|/ earlier, but perl is powerful enough that you can probably do anything. The B module, especially B::CV calls, come to mind). If you don't want to test against the existing macro's, I'd suggest at least testing for word-ness: return undef unless $thing =~ /^\w+$/; Second (and this is directed to Marcus Harnisch, author of Unix::Syslog) The 'best' fix is obviously in Unix::Syslog. It shouldn't default to the inherited AUTOLOAD (from the DynaLoader). Something like this in Unix::Syslog package should catch it: sub AUTOLOAD { my $constant = $AUTOLOAD; $constant =~ s/.*:://; die "Undefined constant $constant"; # or possibly croak() } (Marcus: see the thread that starts here for the background: http://lists.roaringpenguin.com/pipermail/mimedefang/2011-February/036098.html ) -- Jan-Pieter Cornet <joh...@xs4all.net> Systeembeheer XS4ALL Internet bv Internet: www.xs4all.nl Contact: www.xs4all.nl/contact _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang