Ask Bjørn Hansen skribis 2008-05-10 14:51 (-0700):
> I thought I did that a while ago - you should be able to put in a
> module name in the plugins config and it'll load that module rather
> than do the wrapper around a single plugin file.
Ah, so you did! I had expected this in Qpstmpd::Plugin, but it's in
Qpsmtpd::_load_plugin.
I'm not sure the way to untaint the data is kosher. Essentially,
unvalidated configuration is eval()ed here.
May I suggest to replace the following:
(Comments mine)
if ($plugin =~ m/::/) {
# "full" package plugin (My::Plugin)
$package = $plugin;
$package =~ s/[^_a-z0-9:]+//gi;
my $eval = qq[require $package;\n]
.qq[sub ${plugin}::plugin_name { '$plugin' }]; # <-- shouldn't
the first plugin be package??
$eval =~ m/(.*)/s; # <--
$eval = $1; # <-- forced untaint. red flag!
eval $eval;
die "Failed loading $package - eval $@" if $@;
$self->log(LOGDEBUG, "Loading $package ($plugin_line)") # <-- actually,
it's already loaded by now.
unless $plugin_line =~ /logging/;
}
with:
if ($plugin =~ /::/) {
($plugin) = $plugin =~ /^([A-Za-z0-9_:]+)\z/
or die "Invalid plugin name '$plugin'";
$package = $plugin;
($filename = "$plugin.pm") =~ s[::][/]g;
$self->log(LOGDEBUG, "Loading $package ($plugin_line)")
unless $plugin_line =~ /logging/;
eval { require $filename }
or die "Cannot load $filename - eval $@";
no strict 'refs';
*{ $package . "::plugin_name" } = sub { $plugin };
}
No string eval anymore. (Note that I did not yet test this code).
--
Met vriendelijke groet, Kind regards, Korajn salutojn,
Juerd Waalboer: Perl hacker <[EMAIL PROTECTED]> <http://juerd.nl/sig>
Convolution: ICT solutions and consultancy <[EMAIL PROTECTED]>
1;
