Fix Unsafe AUTOLOAD Implementation

nigelhorne · nigelhorne · commit 75a57222e1a8 · 2025-08-05T15:13:38.000-04:00
diff --git a/lib/VWF/Config.pm b/lib/VWF/Config.pm
@@ -25,6 +25,7 @@ our $VERSION = '0.01';
 use warnings;
 use strict;
 
+use Carp;
 use Config::Abstraction;
 use CGI::Info;
 use Data::Dumper;
@@ -186,8 +187,15 @@ sub AUTOLOAD
 	# Extract the method name from the AUTOLOAD variable
 	(my $key = $AUTOLOAD) =~ s/.*:://;
 
+	# Don't handle special methods
+	return if $key eq 'DESTROY';
+
+	# Validate method name - only allow safe config keys
+	Carp::croak("Invalid key name: $key" ) unless $key =~ /^[a-zA-Z_][a-zA-Z0-9_]*$/;
+
 	# Return the value of the corresponding hash key
-	return $self->{$key};
+	# Only return existing keys to avoid auto-vivification
+	return exists $self->{$key} ? $self->{$key} : undef;
 }
 
 1;
diff --git a/lib/VWF/Display.pm b/lib/VWF/Display.pm
@@ -326,7 +326,7 @@ sub get_template_path
 		return $self->{_filename};
 	}
 
-	my $dir = $self->{_config}->{root_dir} || $self->{_info}->root_dir();
+	my $dir = $ENV{'root_dir'} || $self->{_config}->{root_dir} || $self->{_info}->root_dir();
 	if($self->{_logger}) {
 		$self->{_logger}->debug(__PACKAGE__, ': ', __LINE__, ": root_dir $dir");
 		$self->{_logger}->debug(Data::Dumper->new([$self->{_config}])->Dump());

Original file line number	Diff line number	Diff line change
`@@ -326,7 +326,7 @@ sub get_template_path`
`326`	`326`	`return $self->{_filename};`
`327`	`327`	`}`
`328`	`328`
`329`		`- my $dir = $self->{_config}->{root_dir} \|\| $self->{_info}->root_dir();`
	`329`	`+ my $dir = $ENV{'root_dir'} \|\| $self->{_config}->{root_dir} \|\| $self->{_info}->root_dir();`
`330`	`330`	`if($self->{_logger}) {`
`331`	`331`	`$self->{_logger}->debug(__PACKAGE__, ': ', __LINE__, ": root_dir $dir");`
`332`	`332`	`$self->{_logger}->debug(Data::Dumper->new([$self->{_config}])->Dump());`