/ 
File-Find-Rule-0.20
River stage four • 284 direct dependents • 1709 total dependents
Security Advisories (1)
CVE-2011-10007 (2025-06-05)

File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted filename. A file handle is opened with the 2 argument form of `open()` allowing an attacker controlled filename to provide the MODE parameter to `open()`, turning the filename into a command to be executed. Example: $ mkdir /tmp/poc; echo > "/tmp/poc/|id" $ perl -MFile::Find::Rule \     -E 'File::Find::Rule->grep("foo")->in("/tmp/poc")' uid=1000(user) gid=1000(user) groups=1000(user),100(users)

Changes for version 0.20

  • relative flag
  • Fix maxdepth? - this is undertested.
  • MANIFEST fixes (thanks to the cpan smokers)
  • split the documentation of the procedural interface out to File::Find::Rule::Procedural, as people often seem to get confused that the method calls don't take anonymous arrays after seeing the procedural code that did
  • Chunky internal restructure. Now we compile a match sub from code fragments. Though more complex, this is a big speed win as it eliminates a lot of the subroutine dispatch.
  • During the restructure we lost the ->test method. I hope that it's not missed, since maintining it through a deprecation cycle would be fiddly with the current _compile code.
  • Split the findrule tests into their own file, and just skip the tricky ones on Win32.

Documentation

File::Find::Rule
findrule
command line wrapper to File::Find::Rule
File::Find::Rule::Extending
the mini-guide to extending File::Find::Rule
File::Find::Rule::Procedural
File::Find::Rule's procedural interface

Modules

File::Find::Rule
Alternative interface to File::Find

Other files