Fix bug #17744, suggested by Andreas Jurenda,

tweaked by rgs (security hole in Safe).

p4raw-id: //depot/perl@17976

2 files changed, 36 insertions, 3 deletions

diff --git a/ext/Opcode/Safe.pm b/ext/Opcode/Safe.pm
index e8efaa941d..8d875ef5b2 100644
--- a/ext/Opcode/Safe.pm
+++ b/ext/Opcode/Safe.pm
@@ -214,11 +214,11 @@ sub reval {
     # Create anon sub ref in root of compartment.
     # Uses a closure (on $expr) to pass in the code to be executed.
     # (eval on one line to keep line numbers as expected by caller)
-	my $evalcode = sprintf('package %s; sub { eval $expr; }', $root);
+    my $evalcode = sprintf('package %s; sub { @_ = (); eval $expr; }', $root);
     my $evalsub;
 
-	if ($strict) { use strict; $evalsub = eval $evalcode; }
-	else         {  no strict; $evalsub = eval $evalcode; }
+    if ($strict) { use strict; $evalsub = eval $evalcode; }
+    else         {  no strict; $evalsub = eval $evalcode; }
 
     return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
 }
diff --git a/ext/Safe/safe3.t b/ext/Safe/safe3.t
new file mode 100644
index 0000000000..c924762faa
--- /dev/null
+++ b/ext/Safe/safe3.t
@@ -0,0 +1,33 @@
+#!perl
+
+BEGIN {
+    if ($ENV{PERL_CORE}) {
+	chdir 't' if -d 't';
+	@INC = '../lib';
+	require Config; import Config;
+	if ($Config{'extensions'} !~ /\bOpcode\b/
+	    && $Config{'extensions'} !~ /\bPOSIX\b/
+	    && $Config{'osname'} ne 'VMS')
+	{
+	    print "1..0\n";
+	    exit 0;
+	}
+    }
+}
+
+use strict;
+use warnings;
+use POSIX qw(ceil);
+use Test::More tests => 1;
+use Safe;
+
+my $safe = new Safe;
+$safe->deny('add');
+
+# Attempt to change the opmask from within the safe compartment
+$safe->reval( qq{\$_[1] = q/\0/ x } . ceil( Opcode::opcodes / 8 ) );
+
+# Check that it didn't work
+$safe->reval( q{$x + $y} );
+like( $@, qr/^'?addition \(\+\)'? trapped by operation mask/,
+	    'opmask still in place' );