perlcdelta: XSLoader security

Reini Urban · Reini Urban · commit 69a8c254fff2 · 2016-07-19T18:32:49.000+02:00
diff --git a/.git-rr-cache b/.git-rr-cache
@@ -1 +1 @@
-Subproject commit 305164e187c785435b86932a5f52b9763785a5f8
+Subproject commit 3f17d835421805f28888e98058e4906c1b195781
diff --git a/pod/perlcdelta.pod b/pod/perlcdelta.pod
@@ -170,6 +170,17 @@ I<< Note that the standard normal forms NFKD and NFKC ... return (in
 all views) incorrect results for strings containing these
 characters. >>
 
+=head2 XSLoader relative paths with eval or #line
+
+Upstream XSLoader 0.22 (perl 5.26) fixed a minor security problem with
+XSLoader within eval or with a #line directive, which can load a local
+relative shared library, which is not in C<@INC>.  See
+L<[cpan #115808]|https://rt.cpan.org/Ticket/Display.html?id=115808>.
+
+cperl XSLoader was already protected against the eval case since 5.22,
+when being rewritten in C. cperl-5.24.0 fixed now also ignoring a relative
+filename in a C<#line> directive, when the relative path is not in C<@INC>.
+
 =head1 Modules and Pragmata
 
 =head2 New Modules and Pragmata
diff --git a/pod/perldelta.pod b/pod/perldelta.pod
@@ -2226,6 +2226,13 @@ Use cperl instead, see L<[cperl #166]|https://github.com/perl11/cperl/issues/166
 
 =item *
 
+XSLoader security problem with relative paths with eval/#line.
+See L<[cpan #115808]|https://rt.cpan.org/Ticket/Display.html?id=115808>.
+
+Not fixed in 5.24.1, only in cperl, XSLoader 0.22 on cpan and 5.26.
+
+=item *
+
 Methods on readonly packages cannot be called reliably. The method
 cache check fails on them and not existing methods will not fall back
 to the parent or UNIVERSAL or AUTOLOAD methods.  Use cperl instead.
