[libyaml-libyaml-perl] 01/02: Control blessing of loaded objects through an environment variable
Christoph Biedl
debian.axhn at manchmal.in-ulm.de
Fri May 19 16:15:59 UTC 2017
This is an automated email from the git hooks/post-receive script.
cbiedl-guest pushed a commit to branch yaml-unsafe
in repository libyaml-libyaml-perl.
commit 9d4847733ecf05fde0419da5bb2d3091d2a194f9
Author: Christoph Biedl <debian.axhn at manchmal.in-ulm.de>
Date: Thu May 18 19:44:28 2017 +0000
Control blessing of loaded objects through an environment variable
---
debian/patches/control-blessing.patch | 49 +++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
debian/rules | 1 +
3 files changed, 51 insertions(+)
diff --git a/debian/patches/control-blessing.patch b/debian/patches/control-blessing.patch
new file mode 100644
index 0000000..289a9bf
--- /dev/null
+++ b/debian/patches/control-blessing.patch
@@ -0,0 +1,49 @@
+--- a/LibYAML/perl_libyaml.c
++++ b/LibYAML/perl_libyaml.c
+@@ -290,6 +290,19 @@
+ }
+
+ /*
++ * Check for the unsafe YAML instantiation flag
++ */
++int
++use_yaml_unsafe()
++{
++ HV *env = get_hv("ENV", 0);
++ if (!env)
++ return 0;
++ SV **svp = hv_fetch(env, "PERL_USE_UNSAFE_YAML", 20, 0);
++ return svp && SvTRUE (*svp);
++}
++
++/*
+ * Load a YAML mapping into a Perl hash
+ */
+ SV *
+@@ -320,7 +333,7 @@
+ /* Deal with possibly blessing the hash if the YAML tag has a class */
+ if (tag && strEQ(tag, TAG_PERL_PREFIX "hash"))
+ tag = NULL;
+- if (tag) {
++ if (use_yaml_unsafe() && tag) {
+ char *class;
+ char *prefix = TAG_PERL_PREFIX "hash:";
+ if (*tag == '!') {
+@@ -354,7 +367,7 @@
+ }
+ if (tag && strEQ(tag, TAG_PERL_PREFIX "array"))
+ tag = NULL;
+- if (tag) {
++ if (use_yaml_unsafe() && tag) {
+ char *class;
+ char *prefix = TAG_PERL_PREFIX "array:";
+ if (*tag == '!')
+@@ -448,7 +461,7 @@
+ SPAGAIN;
+ regexp = newSVsv(POPs);
+
+- if (strlen(tag) > strlen(prefix) && strnEQ(tag, prefix, strlen(prefix))) {
++ if (use_yaml_unsafe() && strlen(tag) > strlen(prefix) && strnEQ(tag, prefix, strlen(prefix))) {
+ char *class = tag + strlen(prefix);
+ sv_bless(regexp, gv_stashpv(class, TRUE));
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 43edb66..94b5aef 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
disable-update.sh.patch
libyaml-node-id-hardening.patch
Load-B-Deparse-at-runtime.patch
+control-blessing.patch
diff --git a/debian/rules b/debian/rules
index 73c5dbc..c3bb9d4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,6 +1,7 @@
#!/usr/bin/make -f
export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow
+export PERL_USE_UNSAFE_YAML=1
%:
dh $@
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libyaml-libyaml-perl.git
More information about the Pkg-perl-cvs-commits
mailing list