Avoid attacks on sitecustomize by using NUL delimiters to wrap filenames.

Previously the generated code used regular '' strings, which meant that a
crafted pathname containing ' characters could be used to inject code.
Until the previous commit, this was only a problem if building in or
Configuring to install to such a directory. Which, hopefully, would be
"obviously wrong" to anyone capable of building Perl from source.

However, fixing the bug that prevented sitecustomize being subject to
relocatable include now means that for a relocatable pearl, an end-user
controlled path can now reach the sitecusomize code.

diff --git a/perl.c b/perl.c
index 53f9334..748e282 100644 (file)
--- a/perl.c
+++ b/perl.c
@@ -2023,7 +2023,9 @@ S_parse_body(pTHX_ char **env, XSINIT_t xsinit)
 #if defined(USE_SITECUSTOMIZE)
     if (!minus_f) {
        /* The games with local $! are to avoid setting errno if there is no
-          sitecustomize script.  */
+          sitecustomize script.  "q%c...%c", 0, ..., 0 becomes "q\0...\0",
+          ie a q() operator with a NUL byte as a the delimiter. This avoids
+          problems with pathnames containing (say) '  */
 #  ifdef PERL_IS_MINIPERL
        AV *const inc = GvAV(PL_incgv);
        SV **const inc0 = inc ? av_fetch(inc, 0, FALSE) : NULL;
@@ -2031,7 +2033,9 @@ S_parse_body(pTHX_ char **env, XSINIT_t xsinit)
        if (inc0) {
            (void)Perl_av_create_and_unshift_one(aTHX_ &PL_preambleav,
                                                 Perl_newSVpvf(aTHX_
-                                                              "BEGIN { do {local $!; -f '%"SVf"/buildcustomize.pl'} && do '%"SVf"/buildcustomize.pl' }", *inc0, *inc0));
+                                                              "BEGIN { do {local $!; -f q%c%"SVf"/buildcustomize.pl%c} && do q%c%"SVf"/buildcustomize.pl%c }",
+                                                              0, *inc0, 0,
+                                                              0, *inc0, 0));
        }
 #  else
        /* SITELIB_EXP is a function call on Win32.  */
@@ -2042,7 +2046,9 @@ S_parse_body(pTHX_ char **env, XSINIT_t xsinit)
        const char *const sitelib = SvPVX(sitelib_sv);
        (void)Perl_av_create_and_unshift_one(aTHX_ &PL_preambleav,
                                             Perl_newSVpvf(aTHX_
-                                                          "BEGIN { do {local $!; -f '%s/sitecustomize.pl'} && do '%s/sitecustomize.pl' }", sitelib, sitelib));
+                                                          "BEGIN { do {local $!; -f q%c%s/sitecustomize.pl%c} && do q%c%s/sitecustomize.pl%c }",
+                                                          0, sitelib, 0,
+                                                          0, sitelib, 0));
        assert (SvREFCNT(sitelib_sv) == 1);
        SvREFCNT_dec(sitelib_sv);
 #  endif