[Mimedefang] mimedefang.pl spilling "Use of inherited AUTOLOAD for non-method" errors
Jan-Pieter Cornet
johnpc at xs4all.net
Thu Feb 17 11:21:42 EST 2011
On 2011 Feb 17, at 16:16 , David F. Skoll wrote:
> Here's a patch against my git version of mimedefang.pl.in. Not sure
> how cleanly it will apply to the released or beta version, but if people
> could try it out, I'd appreciate it.
Two small remarks:
> + sub _fac_to_num
> + {
> + my ($thing) = @_;
> + return undef if exists $blacklisted{$thing};
> + $thing = $special{$thing} if exists $special{$thing};
> + $thing = 'LOG_' . uc($thing);
> + return eval "Unix::Syslog::$thing()";
> }
You removed the check against $EXPORT_TAGS{macros}. This means "$thing" can now be anything that is fed to syslog(), and passed relatively undamaged to eval. I can imagine a program taking settings from a config file, including a syslog facility. You could potentially set a facility like: "local0;/(((.)*.\1)*.\2)*!/", which would be passed into the eval, leading to the evaluation of the regex... which (this is just an example) could be constructed to at least take a Lot of time, or memory (exploiting this is a bit tricky because of the uc() and the split on /\|/ earlier, but perl is powerful enough that you can probably do anything. The B module, especially B::CV calls, come to mind).
If you don't want to test against the existing macro's, I'd suggest at least testing for word-ness: return undef unless $thing =~ /^\w+$/;
Second (and this is directed to Marcus Harnisch, author of Unix::Syslog)
The 'best' fix is obviously in Unix::Syslog. It shouldn't default to the inherited AUTOLOAD (from the DynaLoader). Something like this in Unix::Syslog package should catch it:
sub AUTOLOAD {
my $constant = $AUTOLOAD;
$constant =~ s/.*:://;
die "Undefined constant $constant"; # or possibly croak()
}
(Marcus: see the thread that starts here for the background: http://lists.roaringpenguin.com/pipermail/mimedefang/2011-February/036098.html )
--
Jan-Pieter Cornet <johnpc at xs4all.net>
Systeembeheer XS4ALL Internet bv
Internet: www.xs4all.nl
Contact: www.xs4all.nl/contact
More information about the MIMEDefang
mailing list