develooper Front page | perl.perl5.porters | Postings from September 2001

[PATCH] Re: Report /pro/3gl/CPAN/perl-current@11794

Thread Previous | Thread Next
From:
Nicholas Clark
Date:
September 3, 2001 08:24
Subject:
[PATCH] Re: Report /pro/3gl/CPAN/perl-current@11794
Message ID:
20010903162421.J25120@plum.flirble.org
On Mon, Sep 03, 2001 at 11:13:14AM -0400, Michael G Schwern wrote:
> On Mon, Sep 03, 2001 at 03:37:57PM +0100, Nicholas Clark wrote:
> > so it looks like your cwd doesn't taint on 10.20. Next question: Why?
> > File/Find.pm looks confusing, but am I right in thinking that you get
> > 
> >     my $cwd            = $wanted->{bydepth} ? Cwd::fastcwd() : Cwd::cwd();
> 
> Why the hell is the selection of fastcwd vs cwd dependent on whether
> or not we're searching by depth???

I don't know.
The documentation of Cwd.pm is a mess (was it you who first obsved this?)
and the sooner the synopsis is under 3 lines the better
> Anyhow, cwd() isn't taint clean here, either (Debian/PowerPC).
> fastcwd() and getcwd() are.

&cwd attempts to be implemented as `pwd` on Unix(a-likes) as pwd may be
setuserid root (so says some documentation)
&cwd falls back on &getcwd when `pwd` isn't found.

PATH= ./perl -T lib/File/Find/taint.t

FAILS tests 29 and 45 here.


I see:

    if ( $symlink_exists ) { print "1..45\n"; }
    else                   { print "1..27\n";  }
    
    use File::Find;
    use File::Spec;
    use Cwd;


    my $NonTaintedCwd = $^O eq 'MSWin32' || $^O eq 'cygwin' || $^O eq 'os2';


I'd suggest the patch below, to remove any heuristics and inherent assumptions.
Passes with PATH= on Debian (ie no pwd in my path, so non-tainting cwd)

> IMHO just change that logic to
> 
>     my $cwd = $wanted->{bydepth} ? Cwd::fastcwd() : Cwd::getcwd();

I'd be loathe to change it as I suspect it's something subtle based on when
File::Find executes chdir.

Nicholas Clark

--- lib/File/Find/taint.t.orig  Mon Jul  2 15:26:41 2001
+++ lib/File/Find/taint.t       Mon Sep  3 16:19:07 2001
@@ -43,8 +43,17 @@
 use File::Spec;
 use Cwd;
 
-
-my $NonTaintedCwd = $^O eq 'MSWin32' || $^O eq 'cygwin' || $^O eq 'os2';
+my $NonTaintedCwd;
+{
+  my $cwd = cwd;
+  die "cwd failed: $!" unless defined $cwd;
+  my $cwd = substr($cwd, 0, 0); # zero-length
+  local $@;
+  # Rather than guess based on $^O, actually check to see if the return from
+  # cwd is tainted. Same OS can vary depending on whether pwd is in $PATH
+  eval { eval "# $cwd" };
+  $NonTaintedCwd = length($@) == 0;
+}
 
 cleanup();
 

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About