Front page | perl.perl5.porters |
Postings from April 2018
On Sat, Apr 21, 2018 at 04:01:53AM -0700, Sergey Aleynikov via RT wrote:
> On Sat, 21 Apr 2018 03:26:38 -0700, slaven@rezic.de wrote:
>
> > t/taint.t fails since perl 5.27.5 (I did not notice earlier
> > because I usually don't test Alt::* modules):
>
> 0cbfaef69bb7fd07d9ececee9c76bd53c15eb888 is the first bad commit
> commit 0cbfaef69bb7fd07d9ececee9c76bd53c15eb888
> Author: Nicolas R <atoomic@cpan.org>
> Date: Tue Sep 26 18:07:47 2017 -0500
>
> pp_require: return earlier when module is already loaded
(That commit for ticket RT #132171.)
The difference that commit makes can be seen in the following:
my $modname = "strict.pm";
my $tainted_modname = substr($ENV{PATH}, 0, 0) . $modname;
eval {require($modname)}; print "err=[$@]\n";
eval {require($tainted_modname)}; print "err=[$@]\n";
$ perl5274 -T ~/tmp/p
err=[]
err=[Insecure dependency in require while running with -T switch at /home/davem/tmp/p line 8.
]
$ perl5275 -T ~/tmp/p
err=[]
err=[]
The attempt to require the same module again is now detected earlier,
before the safe path and taint checks. It was intended as a performance
enhancement (skip more quickly second time round).
My feeling is that perl is ok and the distribution's t/taint.t needs
updating to reflect the new reality.
Unless anyone can think of a valid security reason why perl should
croak on requiring an already-loaded module via a tainted name, rather
than just quietly skipping?
--
"You may not work around any technical limitations in the software"
-- Windows Vista license
Thread Previous
|
Thread Next