Critical bugfix in module Safe (Opcode). Version increased, changelog and test added.

This example hacks outside environment:

package My::Controller;
use strict;

sub jopa { return "jopa\n"; }

package main;
use Safe;

my $s = new Safe;

my $ok = $s->reval(q{
    package My::Controller;
    sub jopa { return "hacked\n"; }

    My::Controller->jopa();
});

print My::Controller->jopa();

3 files changed, 36 insertions, 1 deletions

diff --git a/dist/Safe/Changes b/dist/Safe/Changes
index 8cde1db330..66b3b5103b 100644
--- a/dist/Safe/Changes
+++ b/dist/Safe/Changes
@@ -1,3 +1,6 @@
+2.36 Mon Aug 04 2014
+    - critical bugfix: outside packages could be replaced (fix in Opcode)
+
 2.35 Thu Feb 21 2013
     - localize %SIG in the Safe compartment
     - actually check that we call execution methods on a Safe object
diff --git a/dist/Safe/Safe.pm b/dist/Safe/Safe.pm
index 4db116dff5..2c0d56a43e 100644
--- a/dist/Safe/Safe.pm
+++ b/dist/Safe/Safe.pm
@@ -3,7 +3,7 @@ package Safe;
 use 5.003_11;
 use Scalar::Util qw(reftype refaddr);
 
-$Safe::VERSION = "2.37";
+$Safe::VERSION = "2.38";
 
 # *** Don't declare any lexicals above this point ***
 #
diff --git a/dist/Safe/t/safesecurity.t b/dist/Safe/t/safesecurity.t
new file mode 100644
index 0000000000..92cd124e67
--- /dev/null
+++ b/dist/Safe/t/safesecurity.t
@@ -0,0 +1,32 @@
+#!perl
+
+BEGIN {
+    require Config;
+    import Config;
+    if ($Config{'extensions'} !~ /\bOpcode\b/) {
+	print "1..0\n";
+	exit 0;
+    }
+}
+
+use strict;
+use warnings;
+use Test::More;
+use Safe;
+plan(tests => 1);
+
+my $c = new Safe;
+
+{
+    package My::Controller;
+    sub jopa { return "jopa" }
+}
+
+$c->reval(q{
+    package My::Controller;
+    sub jopa { return "hacked" }
+    
+    My::Controller->jopa; # let it cache package
+});
+
+is(My::Controller->jopa, "jopa", "outside packages cannot be overriden");