(perl #131895) fail stat on names with \0 embedded

Also lstat() and the file test ops.
author: Tony Cook <tony@develop-help.com> 2017-11-02 20:18:56 +0000
committer: Zefram <zefram@fysh.org> 2017-11-02 20:18:56 +0000
commit: a155eb055a920e456f1b3a516de544bdf104322e (patch)
tree: 9939cbab7f268380fef43363364fede6b88ab327 /pp_sys.c
parent: f5727a1c71878a34f6255eb1a506c0b21af7d36f (diff)
download: perl-a155eb055a920e456f1b3a516de544bdf104322e.tar.gz
1 files changed, 23 insertions, 6 deletions
diff --git a/pp_sys.c b/pp_sys.c
index a41b1880fe..672e7de08e 100644
--- a/pp_sys.c
+++ b/pp_sys.c
@@ -2952,19 +2952,24 @@ PP(pp_stat)
     }
     else {
         const char *file;
+        const char *temp;
+        STRLEN len;
 	if (SvROK(sv) && SvTYPE(SvRV(sv)) == SVt_PVIO) { 
             io = MUTABLE_IO(SvRV(sv));
             if (PL_op->op_type == OP_LSTAT)
                 goto do_fstat_warning_check;
             goto do_fstat_have_io; 
         }
-        
 	SvTAINTED_off(PL_statname); /* previous tainting irrelevant */
-	sv_setpv(PL_statname, SvPV_nomg_const_nolen(sv));
+        temp = SvPV_nomg_const(sv, len);
+	sv_setpv(PL_statname, temp);
 	PL_statgv = NULL;
 	PL_laststype = PL_op->op_type;
         file = SvPV_nolen_const(PL_statname);
-	if (PL_op->op_type == OP_LSTAT)
+        if (!IS_SAFE_PATHNAME(temp, len, OP_NAME(PL_op))) {
+            PL_laststatval = -1;
+        }
+	else if (PL_op->op_type == OP_LSTAT)
 	    PL_laststatval = PerlLIO_lstat(file, &PL_statcache);
 	else
 	    PL_laststatval = PerlLIO_stat(file, &PL_statcache);
@@ -3198,8 +3203,12 @@ PP(pp_ftrread)
 
     if (use_access) {
 #if defined(HAS_ACCESS) || defined (PERL_EFF_ACCESS)
-	const char *name = SvPV_nolen(*PL_stack_sp);
-	if (effective) {
+        STRLEN len;
+	const char *name = SvPV(*PL_stack_sp, len);
+        if (!IS_SAFE_PATHNAME(name, len, OP_NAME(PL_op))) {
+            result = -1;
+        }
+	else if (effective) {
 #  ifdef PERL_EFF_ACCESS
 	    result = PERL_EFF_ACCESS(name, access_mode);
 #  else
@@ -3524,10 +3533,18 @@ PP(pp_fttext)
     }
     else {
         const char *file;
+        const char *temp;
+        STRLEN temp_len;
         int fd; 
 
         assert(sv);
-	sv_setpv(PL_statname, SvPV_nomg_const_nolen(sv));
+        temp = SvPV_nomg_const(sv, temp_len);
+	sv_setpv(PL_statname, temp);
+        if (!IS_SAFE_PATHNAME(temp, temp_len, OP_NAME(PL_op))) {
+            PL_laststatval = -1;
+            PL_laststype = OP_STAT;
+            FT_RETURNUNDEF;
+        }
       really_filename:
         file = SvPVX_const(PL_statname);
 	PL_statgv = NULL;
author	Tony Cook <tony@develop-help.com>	2017-11-02 20:18:56 +0000
committer	Zefram <zefram@fysh.org>	2017-11-02 20:18:56 +0000
commit	a155eb055a920e456f1b3a516de544bdf104322e (patch)
tree	9939cbab7f268380fef43363364fede6b88ab327 /pp_sys.c
parent	f5727a1c71878a34f6255eb1a506c0b21af7d36f (diff)
download	perl-a155eb055a920e456f1b3a516de544bdf104322e.tar.gz