Re: Perl PR: "Security holes in Sys::Syslog"

Message-ID: <20051206145612.GA94530@penkwe.pair.com>

p4raw-id: //depot/perl@26278

diff --git a/ext/Sys/Syslog/Syslog.pm b/ext/Sys/Syslog/Syslog.pm
index 56cf18a..d275c0e 100644 (file)
--- a/ext/Sys/Syslog/Syslog.pm
+++ b/ext/Sys/Syslog/Syslog.pm
@@ -328,7 +328,14 @@ sub syslog {
 
     $whoami .= "[$$]" if our $lo_pid;
 
-    $mask =~ s/(?<!%)%m/$!/g;
+    if ($mask =~ /%m/) {
+       my $err = $!;
+       # escape percent signs if sprintf will be called
+       $err =~ s/%/%%/g if @_;
+       # replace %m with $err, if preceded by an even number of percent signs
+       $mask =~ s/(?<!%)((?:%%)*)%m/$1$err/g;
+    }
+
     $mask .= "\n" unless $mask =~ /\n$/;
     $message = @_ ? sprintf($mask, @_) : $mask;