[Mimedefang] mimedefang.pl spilling "Use of inherited AUTOLOAD for non-method" errors

Jan-Pieter Cornet johnpc at xs4all.net
Thu Feb 17 11:21:42 EST 2011

On 2011 Feb 17, at 16:16 , David F. Skoll wrote:
> Here's a patch against my git version of mimedefang.pl.in.  Not sure
> how cleanly it will apply to the released or beta version, but if people
> could try it out, I'd appreciate it.

Two small remarks:
> +        sub _fac_to_num
> +	{
> +		my ($thing) = @_;
> +		return undef if exists $blacklisted{$thing};
> +		$thing = $special{$thing} if exists $special{$thing};
> +		$thing = 'LOG_' . uc($thing);
> +		return eval "Unix::Syslog::$thing()";
> 	}

You removed the check against $EXPORT_TAGS{macros}. This means "$thing" can now be anything that is fed to syslog(), and passed relatively undamaged to eval. I can imagine a program taking settings from a config file, including a syslog facility. You could potentially set a facility like: "local0;/(((.)*.\1)*.\2)*!/", which would be passed into the eval, leading to the evaluation of the regex... which (this is just an example) could be constructed to at least take a Lot of time, or memory (exploiting this is a bit tricky because of the uc() and the split on /\|/ earlier, but perl is powerful enough that you can probably do anything. The B module, especially B::CV calls, come to mind).

If you don't want to test against the existing macro's, I'd suggest at least testing for word-ness: return undef unless $thing =~ /^\w+$/;

Second (and this is directed to Marcus Harnisch, author of Unix::Syslog)

The 'best' fix is obviously in Unix::Syslog. It shouldn't default to the inherited AUTOLOAD (from the DynaLoader). Something like this in Unix::Syslog package should catch it:

    my $constant = $AUTOLOAD;
    $constant =~ s/.*:://;
    die "Undefined constant $constant"; # or possibly croak()

(Marcus: see the thread that starts here for the background: http://lists.roaringpenguin.com/pipermail/mimedefang/2011-February/036098.html )

Jan-Pieter Cornet <johnpc at xs4all.net>
Systeembeheer XS4ALL Internet bv
Internet: www.xs4all.nl
Contact: www.xs4all.nl/contact

More information about the MIMEDefang mailing list