File perl-Spreadsheet-ParseExcel-CVE-2023-7101.patch of Package perl-Spreadsheet-ParseExcel

Overview Repositories Revisions Requests Users Attributes Meta

File perl-Spreadsheet-ParseExcel-CVE-2023-7101.patch of Package perl-Spreadsheet-ParseExcel

From bd3159277e745468e2c553417b35d5d7dc7405bc Mon Sep 17 00:00:00 2001
From: Daniel Ruoso <daniel@ruoso.com>
Date: Thu, 28 Dec 2023 11:56:10 -0500
Subject: [PATCH] Do not use string eval for conditional formatting

---
 lib/Spreadsheet/ParseExcel/Utility.pm | 31 +++++++++++++++++++--------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/lib/Spreadsheet/ParseExcel/Utility.pm b/lib/Spreadsheet/ParseExcel/Utility.pm
index c0c26a0..d8cfb99 100644
--- a/lib/Spreadsheet/ParseExcel/Utility.pm
+++ b/lib/Spreadsheet/ParseExcel/Utility.pm
@@ -78,10 +78,12 @@ sub ExcelFmt {
     $format_str = '@' if uc($format_str) eq "GENERAL";
 
     # Check for a conditional at the start of the format. See notes above.
-    my $conditional;
-    if ( $format_str =~ /^\[([<>=][^\]]+)\](.*)$/ ) {
-        $conditional = $1;
-        $format_str  = $2;
+    my $conditional_op;
+    my $conditional_value;
+    if ( $format_str =~ /^\[([<>=]+)([^\]]+)\](.*)$/ ) {
+        $conditional_op = $1;
+        $conditional_value = $2;
+        $format_str = $3;
     }
 
     # Ignore the underscore token which is used to indicate a padding space.
@@ -166,12 +168,23 @@ sub ExcelFmt {
     }
 
     # Override the previous choice if the format is conditional.
-    if ($conditional) {
-
-        # TODO. Replace string eval with a function.
-        $section = eval "$number $conditional" ? 0 : 1;
+    if ($conditional_op) {
+        if ($conditional_op eq '>') {
+            $section = $number > $conditional_value ? 0 : 1;
+        } elsif ($conditional_op eq '>=') {
+            $section = $number >= $conditional_value ? 0 : 1;
+        } elsif ($conditional_op eq '<') {
+            $section = $number < $conditional_value ? 0 : 1;
+        } elsif ($conditional_op eq '<=') {
+            $section = $number <= $conditional_value ? 0 : 1;
+        } elsif ($conditional_op eq '=') {
+            $section = $number == $conditional_value ? 0 : 1;
+        } elsif ($conditional_op eq '==') {
+            $section = $number == $conditional_value ? 0 : 1;
+        } elsif ($conditional_op eq '<>') {
+            $section = $number != $conditional_value ? 0 : 1;
+        }
     }
-
     # We now have the required format.
     $format = $formats[$section];

Places

File perl-Spreadsheet-ParseExcel-CVE-2023-7101.patch of Package perl-Spreadsheet-ParseExcel

Places