From e397d929e40a73c0bd3b6f8ea47bba7734d39b91 Mon Sep 17 00:00:00 2001 From: miker Date: Thu, 17 Sep 2009 01:54:21 +0000 Subject: [PATCH] use Safe to protect against EVIL evals coming in from the outside world -- we share the environment into the Safe compartment using the name $current_environment git-svn-id: svn://svn.open-ils.org/ILS/trunk@14032 dcc99617-32d9-48b4-a31d-7c20da2025e4 --- Open-ILS/src/perlmods/OpenILS/Application/Trigger/Event.pm | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Open-ILS/src/perlmods/OpenILS/Application/Trigger/Event.pm b/Open-ILS/src/perlmods/OpenILS/Application/Trigger/Event.pm index 07a27aea4..e64b9d0d8 100644 --- a/Open-ILS/src/perlmods/OpenILS/Application/Trigger/Event.pm +++ b/Open-ILS/src/perlmods/OpenILS/Application/Trigger/Event.pm @@ -8,6 +8,8 @@ use OpenILS::Utils::Fieldmapper; use OpenILS::Utils::CStoreEditor q/:funcs/; use OpenILS::Application::Trigger::ModRunner; +use Safe; + my $log = 'OpenSRF::Utils::Logger'; sub new { @@ -348,6 +350,8 @@ sub update_state { return $ok || undef; } +my $current_environment; + sub build_environment { my $self = shift; return $self if ($self->environment->{complete}); @@ -356,12 +360,18 @@ sub build_environment { try { + my $compartment = new Safe; + $compartment->permit(':default',':load'); + $compartment->share('$current_environment'); + $self->environment->{EventProcessor} = $self; $self->environment->{target} = $self->target; $self->environment->{event} = $self->event; $self->environment->{template} = $self->event->event_def->template; - $self->environment->{params}{ $_->param } = eval $_->value for ( @{$self->event->event_def->params} ); + $current_environment = $self->environment; + + $self->environment->{params}{ $_->param } = $compartment->reval($_->value) for ( @{$self->event->event_def->params} ); for my $e ( @{$self->event->event_def->env} ) { my (@label, @path); -- 2.11.0