develooper Front page | perl.perl5.porters | Postings from April 2018

Re: [perl #133138] Blead Breaks CPAN:TOBYINK/Alt-Module-Runtime-ButEUMM-0.001.tar.gz

Thread Previous | Thread Next
Dave Mitchell
April 21, 2018 13:59
Re: [perl #133138] Blead Breaks CPAN:TOBYINK/Alt-Module-Runtime-ButEUMM-0.001.tar.gz
Message ID:
On Sat, Apr 21, 2018 at 04:01:53AM -0700, Sergey Aleynikov via RT wrote:
> On Sat, 21 Apr 2018 03:26:38 -0700, wrote:
> > t/taint.t fails since perl 5.27.5 (I did not notice earlier
> > because I usually don't test Alt::* modules):
> 0cbfaef69bb7fd07d9ececee9c76bd53c15eb888 is the first bad commit
> commit 0cbfaef69bb7fd07d9ececee9c76bd53c15eb888
> Author: Nicolas R <>
> Date:   Tue Sep 26 18:07:47 2017 -0500
>     pp_require: return earlier when module is already loaded

(That commit for ticket RT #132171.)

The difference that commit makes can be seen in the following:

    my $modname = "";
    my $tainted_modname = substr($ENV{PATH}, 0, 0) . $modname;
    eval {require($modname)};         print "err=[$@]\n";
    eval {require($tainted_modname)}; print "err=[$@]\n";

    $ perl5274 -T ~/tmp/p
    err=[Insecure dependency in require while running with -T switch at /home/davem/tmp/p line 8.

    $ perl5275 -T ~/tmp/p

The attempt to require the same module again is now detected earlier,
before the safe path and taint checks. It was intended as a performance
enhancement (skip more quickly second time round).

My feeling is that perl is ok and the distribution's t/taint.t needs
updating to reflect the new reality.

Unless anyone can think of a valid security reason why perl should
croak on requiring an already-loaded module via a tainted name, rather
than just quietly skipping?

"You may not work around any technical limitations in the software"
    -- Windows Vista license

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About