+
+ Make Data::Dumper unserializer safer by using a Safe compartment (Ton Voon)
+
Thu 13 May 2010 10:09:19 CEST - Release 0.85
Make Catalyst::Action::Serialize::View return directly rather than serializing
extends 'Catalyst::Action';
use Data::Serializer;
+use Safe;
+my $compartment = Safe->new;
+$compartment->permit_only( qw(padany null lineseq const pushmark list anonhash anonlist refgen leaveeval undef) );
our $VERSION = '0.85';
$VERSION = eval $VERSION;
}
close(BODY);
}
- my $dso = Data::Serializer->new( serializer => $serializer );
my $rdata;
- eval {
- $rdata = $dso->raw_deserialize($rbody);
- };
+ if ( $serializer eq "Data::Dumper" ) {
+ # Taken from Data::Serialize::Data::Dumper::deserialize, but run within a Safe compartment
+ my $code = $rbody =~ /^\{/ ? "+".$rbody : $rbody;
+ $rdata = $compartment->reval( $code );
+ }
+ else {
+ my $dso = Data::Serializer->new( serializer => $serializer );
+ eval {
+ $rdata = $dso->raw_deserialize($rbody);
+ };
+ }
if ($@) {
return $@;
}
use strict;
use warnings;
-use Test::More tests => 29;
+use Test::More tests => 31;
use FindBin;
use lib ( "$FindBin::Bin/lib", "$FindBin::Bin/../lib" );
}
}
+{
+ my $t = Test::Rest->new( 'content_type' => 'text/x-data-dumper' );
+
+ my $post_data = "{ 'sushi' => die('hack attempt') }";
+ my $mres_post = request(
+ $t->post(
+ url => '/monkey_put',
+ data => $post_data,
+ )
+ );
+ ok( ! $mres_post->is_success, "POST Data::Dumper fails due to invalid input" );
+ like(
+ $mres_post->content,
+ qr%Content-Type text/x-data-dumper had a problem with your request.*'die' trapped by operation mask%s,
+ "POST Data::Dumper data error matches"
+ );
+}
+
1;