The stub code used eval("...") to read in the data structure in the DATA

section, which is unsafe, as someone could slip in executable code. Replaced by Safe::reval.
mschilli · Apr 26, 2011 · aacf766 · aacf766
1 parent 1f59cee
commit aacf766
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/bin/pogo-worker-stub b/bin/pogo-worker-stub
@@ -11,6 +11,7 @@ use constant LOCKFILE     => '/tmp/pogo_worker.lock';
 use constant POST_HOOKDIR => '/etc/pogo/post.d/';
 use constant PRE_HOOKDIR  => '/etc/pogo/pre.d/';
 use constant TEMPDIR      => '/tmp';
+use Safe;
 
 $SIG{HUP} = $SIG{INT} = $SIG{TERM} = $SIG{__DIE__} = \&cleanup;
 
@@ -49,7 +50,9 @@ sub run_hooks {
 
 sub main {
   print "\n";
-  $opts = eval(<DATA>);
+  my $compartment = Safe->new();
+  $opts = $compartment->reval(<DATA>);
+  die "safe eval failed: $@" if $@;
   die "bad options\n"
     unless $opts->{job}
       && $opts->{command}