fix 11773 Pluggable allows arbitrary module load

docs/changelog/7.x.x.txt

@@ -14,6 +14,7 @@
  - fixed #11772: Metadata in Post doesn't set default value correctly
  - fixed #11768: Edit Branch does not update File wgaccess permissions
  - added Asset Report Asset allowing creation of reports based on Asset Properties.
+ - fixed #11773: Pluggable allows arbitrary module loading
 
 7.9.10
  - fixed #11721: spamStopWords not in WebGUI.conf.original

lib/WebGUI/Pluggable.pm

@@ -232,6 +232,11 @@ sub load {
         croak "Could not load $module because $moduleError{$module}";
     }
 
+    # Sanitize
+    if ( $module !~ m{^\w+(?:\w+|::)*\w+$} ) {
+        croak "Invalid module name: $module";
+    }
+
     # Try to load the module
     my $modulePath = $module . ".pm";
     $modulePath =~ s{::|'}{/}g;

t/Pluggable.t

@@ -41,7 +41,7 @@ use WebGUI::Pluggable;
 #----------------------------------------------------------------------------
 # Tests
 
-plan tests => 12;        # Increment this number for each test you create
+plan tests => 18;        # Increment this number for each test you create
 
 #----------------------------------------------------------------------------
 # put your tests here
@@ -62,6 +62,14 @@ is($dumper->Dump, q|$VAR1 = {
         };
 |, "Can instanciate an object.");
 
+ok( !eval{ WebGUI::Pluggable::load( '::HA::HA' ); 1 }, 'load dies on bad input' );
+like( $@, qr/^\QInvalid module name: ::HA::HA/, 'helpful error message' );
+
+ok( !eval{ WebGUI::Pluggable::load( 'HA::HA::' ); 1 }, 'load dies on bad input' );
+ok( !eval{ WebGUI::Pluggable::load( 'HA::..::..::HA' ); 1 }, 'load dies on bad input' );
+ok( !eval{ WebGUI::Pluggable::load( '..::..::..::HA' ); 1 }, 'load dies on bad input' );
+ok( !eval{ WebGUI::Pluggable::load( 'uploads::ik::jo::ikjosdfwefsdfsefwef::myfile.txt\0.pm' ); 1 }, 'load dies on bad input' );
+
 #----------------------------------------------------------------------------
 # Test find and findAndLoad
 { # Block to localize @INC