From 6b1e02f764a7762c5505f7eb0c780acab8fd786e Mon Sep 17 00:00:00 2001
From: Doug Bell <doug@plainblack.com>
Date: Wed, 11 Aug 2010 15:54:48 -0500
Subject: [PATCH] fixed possible vulnerability loading help files

---
 docs/changelog/7.x.x.txt     |  1 +
 lib/WebGUI/Operation/Help.pm | 12 +++++-------
 t/Help/compiled.t            | 13 +++++++++++--
 3 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt
index 75f58d1e1..b80d52d01 100644
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@@ -2,6 +2,7 @@
  - webgui.org homepage gives 404  (#11778)
  - fixed #11779: SQLReport can run arbitrary queries
  - fixed possible vulnerability loading template parser
+ - fixed possible vulnerability loading help files
 
 7.9.11
  - fixed #11755: New cart does not update shipping methods correctly
diff --git a/lib/WebGUI/Operation/Help.pm b/lib/WebGUI/Operation/Help.pm
index 88fc8e50d..a7fbf93f1 100644
--- a/lib/WebGUI/Operation/Help.pm
+++ b/lib/WebGUI/Operation/Help.pm
@@ -41,18 +41,16 @@ been already and logs errors during the load.
 sub _loadHelp {
 	my $session = shift;
 	my $helpPackage = shift;
+        eval { WebGUI::Pluggable::load( $helpPackage ); };
+	if ($@) {
+		$session->errorHandler->error("Help failed to compile: $helpPackage. ".$@);
+		return {};
+	}
 	if (defined *{"$helpPackage\::HELP"}) {  ##Symbol table lookup
 		our $table;
 		*table = *{"$helpPackage\::HELP"};  ##Create alias into symbol table
 		return $table;  ##return whole hashref
 	}
-	my $load = sprintf 'use %-s; $%-s::HELP', $helpPackage, $helpPackage;
-	my $help = eval($load);
-	if ($@) {
-		$session->errorHandler->error("Help failed to compile: $helpPackage. ".$@);
-		return {};
-	}
-	return $help;
 }
 
 #-------------------------------------------------------------------
diff --git a/t/Help/compiled.t b/t/Help/compiled.t
index f98e8cb0e..d30f617bd 100644
--- a/t/Help/compiled.t
+++ b/t/Help/compiled.t
@@ -15,13 +15,14 @@ use lib "$FindBin::Bin/../lib";
 use WebGUI::Test;
 use WebGUI::Session;
 use WebGUI::Operation::Help;
+use Test::More;
+use Test::Exception;
 
 #The goal of this test is to verify that all entries in the lib/WebGUI/Help
 #directory compile.  This test is necessary because WebGUI::Operation::Help
 #will return an empty hash if it won't compile, and the help will simply
 #disappear.
 
-use Test::More;
 my $numTests = 0;
 
 my $session = WebGUI::Test->session;
@@ -30,10 +31,18 @@ my @helpFileSet = WebGUI::Operation::Help::_getHelpFilesList($session);
 
 $numTests = scalar @helpFileSet; #One for each help compile
 
-plan tests => $numTests;
+plan tests => $numTests + 2;
 
 foreach my $helpSet (@helpFileSet) {
 	my $helpName = $helpSet->[1];
 	my $help = WebGUI::Operation::Help::_load($session, $helpName);
 	ok(keys %{ $help }, "$helpName compiled");
 }
+
+#----------------------------------------------------------------------------
+# Test invalid help files
+WebGUI::Test->interceptLogging;
+lives_ok { WebGUI::Operation::Help::_load( $session, '::HI::' ) } "invalid help module doesnt die";
+like( $WebGUI::Test::logger_error, qr/^Help failed to compile/, 'invalid help module errored' );
+
+WebGUI::Test->restoreLogging;