Front page | perl.perl5.porters |
Postings from April 2018
On 04/21/2018 03:59 PM, Dave Mitchell wrote:
> On Sat, Apr 21, 2018 at 04:01:53AM -0700, Sergey Aleynikov via RT wrote:
>> On Sat, 21 Apr 2018 03:26:38 -0700, slaven@rezic.de wrote:
>>
>>> t/taint.t fails since perl 5.27.5 (I did not notice earlier
>>> because I usually don't test Alt::* modules):
>> 0cbfaef69bb7fd07d9ececee9c76bd53c15eb888 is the first bad commit
>> commit 0cbfaef69bb7fd07d9ececee9c76bd53c15eb888
>> Author: Nicolas R <atoomic@cpan.org>
>> Date: Tue Sep 26 18:07:47 2017 -0500
>>
>> pp_require: return earlier when module is already loaded
> (That commit for ticket RT #132171.)
>
> The difference that commit makes can be seen in the following:
>
> my $modname = "strict.pm";
> my $tainted_modname = substr($ENV{PATH}, 0, 0) . $modname;
> eval {require($modname)}; print "err=[$@]\n";
> eval {require($tainted_modname)}; print "err=[$@]\n";
>
> $ perl5274 -T ~/tmp/p
> err=[]
> err=[Insecure dependency in require while running with -T switch at /home/davem/tmp/p line 8.
> ]
>
> $ perl5275 -T ~/tmp/p
> err=[]
> err=[]
>
> The attempt to require the same module again is now detected earlier,
> before the safe path and taint checks. It was intended as a performance
> enhancement (skip more quickly second time round).
>
> My feeling is that perl is ok and the distribution's t/taint.t needs
> updating to reflect the new reality.
>
> Unless anyone can think of a valid security reason why perl should
> croak on requiring an already-loaded module via a tainted name, rather
> than just quietly skipping?
The old behavior seems to only be a red herring to developers. You would
go down the "this is a taint problem" when in fact you have already
loaded that module and the load attempt can be ignored.
Thread Previous
|
Thread Next