New Version of File-Find-Object - 0.1.1 With a Security Fix (and Many Enhancements)

Wed, 22 Oct 2008 06:32:15 -0700 

Hi all!

I released File-Find-Object version 0.1.1 today with a security fix to a 
potential printf-format vulnerability. The offending code in F-F-O-0.1.0 was 
this:

{{{{{{{{
    if ($rc) {
        printf(STDERR "Avoid loop " . $self->_father($ptr)->dir() . " 
=> %s\n",
            $self->_current_path($current));
        return 0;
    }
}}}}}}}}

As one can see $self->_father($ptr)->dir() is included directly in the 
printf-format, which may cause a lot of unexpected behaviour. There was a 
Perl-sprintf vulnerability a while ago, in which the Perl interpreter 
mis-handled some badly formatted sprintf-values, and in general letting the 
user input stuff directly into the printf-format field is not such a good 
idea. 

->dir() is encountered in the directory tree that File-Find-Object traverses.

Otherwise, there are many other enhancements:

{{{{{{{{
0.1.1 - Wed Oct 22 12:30:56 IST 2008
    - Potential Security Fix!!! No longer passing a filename directly to
    the format in <<printf (STDERR)>> when warning on a loop.
    - Bug fix - the check for a loop was broken.
    - New Feature - Added the ->next_obj() and ->item_obj() methods
    to return a File::Find::Object::Result object instead of a plain
    path.
    - Refactoring:
        - No longer passing $current explicitly from one method to another
        (hello EEK!). Instead, we reference $self->_current()
        - Remmed out the DESTROY method as it was empty.
        - Revamped the _action handling - an array instead of a hash.
        - Created _top and _non_top methods delegated by _is_top using
            _top_it()
        - _current_idx() was eliminated - now it's just $#dir_stack.
        - Created a _copy methods to create flat copies of array references.
        - Extracted many methods.
    - Switched Build.PL to inc/Test/Run/Builder.pm - that gives us:
        - ./Build runtest
        - ./Build distruntest
        - ./Build tags
}}}}}}}}

Regards,

        Shlomi Fish

-----------------------------------------------------------------
Shlomi Fish       http://www.shlomifish.org/
"Humanity" - Parody of Modern Life - http://xrl.us/bkeut

Shlomi, so what are you working on? Working on a new wiki about unit testing 
fortunes in freecell? -- Ran Eilam

Reply via email to