1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
From: =?UTF-8?q?Tina=20M=C3=BCller?= <cpan2@tinita.de>
Date: Wed, 29 Jan 2025 21:17:28 +0100
Subject: Use 3-arg form of open in LoadFile
Origin: https://github.com/ingydotnet/yaml-libyaml-pm/commit/5fe9daed726c06900c3cd41a739460057bec6dc3
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-40908
Fixes https://github.com/ingydotnet/yaml-libyaml-pm/issues/120
Otherwise `$filename = ">file.yaml"; LoadFile($filename)` will truncate a file.
One should check untrusted filenames in any case, though.
---
lib/YAML/XS.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/YAML/XS.pm b/lib/YAML/XS.pm
index 66ff5bac7d15..e8df694dd51e 100644
--- a/lib/YAML/XS.pm
+++ b/lib/YAML/XS.pm
@@ -54,7 +54,7 @@ sub LoadFile {
$IN = $filename;
}
else {
- open $IN, $filename
+ open $IN, '<', $filename
or die "Can't open '$filename' for input:\n$!";
}
return YAML::XS::LibYAML::Load(do { local $/; local $_ = <$IN> });
--
2.49.0
|
