From c1a937fef07c061600a0078f4cb53fe9c2136bb9 Mon Sep 17 00:00:00 2001 From: Ricardo Signes Date: Mon, 9 Aug 2021 08:14:05 -0400 Subject: [PATCH] Encode.pm: apply a local patch for CVE-2021-36770 I expect Encode to see a new release today. Without this fix, Encode::ConfigLocal can be loaded from a path relative to the current directory, because the || operator will evaluate @INC in scalar context, putting an integer as the only value in @INC. --- cpan/Encode/Encode.pm | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cpan/Encode/Encode.pm b/cpan/Encode/Encode.pm index a56a99947fd..b96a8504169 100644 --- a/cpan/Encode/Encode.pm +++ b/cpan/Encode/Encode.pm @@ -65,8 +66,8 @@ require Encode::Config; eval { local $SIG{__DIE__}; local $SIG{__WARN__}; - local @INC = @INC || (); - pop @INC if $INC[-1] eq '.'; + local @INC = @INC; + pop @INC if @INC && $INC[-1] eq '.'; require Encode::ConfigLocal; };