Hi all! I released File-Find-Object version 0.1.1 today with a security fix to a potential printf-format vulnerability. The offending code in F-F-O-0.1.0 was this:
{{{{{{{{ if ($rc) { printf(STDERR "Avoid loop " . $self->_father($ptr)->dir() . " => %s\n", $self->_current_path($current)); return 0; } }}}}}}}} As one can see $self->_father($ptr)->dir() is included directly in the printf-format, which may cause a lot of unexpected behaviour. There was a Perl-sprintf vulnerability a while ago, in which the Perl interpreter mis-handled some badly formatted sprintf-values, and in general letting the user input stuff directly into the printf-format field is not such a good idea. ->dir() is encountered in the directory tree that File-Find-Object traverses. Otherwise, there are many other enhancements: {{{{{{{{ 0.1.1 - Wed Oct 22 12:30:56 IST 2008 - Potential Security Fix!!! No longer passing a filename directly to the format in <<printf (STDERR)>> when warning on a loop. - Bug fix - the check for a loop was broken. - New Feature - Added the ->next_obj() and ->item_obj() methods to return a File::Find::Object::Result object instead of a plain path. - Refactoring: - No longer passing $current explicitly from one method to another (hello EEK!). Instead, we reference $self->_current() - Remmed out the DESTROY method as it was empty. - Revamped the _action handling - an array instead of a hash. - Created _top and _non_top methods delegated by _is_top using _top_it() - _current_idx() was eliminated - now it's just $#dir_stack. - Created a _copy methods to create flat copies of array references. - Extracted many methods. - Switched Build.PL to inc/Test/Run/Builder.pm - that gives us: - ./Build runtest - ./Build distruntest - ./Build tags }}}}}}}} Regards, Shlomi Fish ----------------------------------------------------------------- Shlomi Fish http://www.shlomifish.org/ "Humanity" - Parody of Modern Life - http://xrl.us/bkeut Shlomi, so what are you working on? Working on a new wiki about unit testing fortunes in freecell? -- Ran Eilam