Bug #117036 for List-MoreUtils: Cannot load included Config::AutoConf

Thu Aug 18 08:26:48 2016 XSAWYERX [...] cpan.org - Ticket created

Subject:

Cannot load included Config::AutoConf

When trying to install List::MoreUtils on a machine that does not have Config::AutoConf, it fails with the following error: Configuring List-MoreUtils-0.416 ... Can't locate inc/Config/AutoConf/LMU.pm in @INC (you may need to install the inc::Config::AutoConf::LMU module) (@INC contains: inc/inc_Config-AutoConf inc/inc_Capture-Tiny ...) at Makefile.PL line 65. BEGIN failed--compilation aborted at Makefile.PL line 65. While it adds "inc/inc_Config-AutoConf" to the beginning of @INC, it actually tries the following: stat("inc/inc_Config-AutoConf/inc/Config/AutoConf/LMU.pm", 0x7ffdb43b99c0) = -1 ENOENT (No such file or directory) (Notice that it goes to "inc/inc_Config-AutoConf/inc", that is, it assumes that it is inside "inc" inside the "inc_Config-AutoConf" inside "inc". It isn't. The path is: inc/inc_Config-AutoConf/Config/AutoConf.pm.

Thu Aug 18 08:32:25 2016 XSAWYERX [...] cpan.org - Correspondence added

On Thu Aug 18 08:26:48 2016, xsawyerx wrote: Show quoted text

> When trying to install List::MoreUtils on a machine that does not have > Config::AutoConf [...]

I installed Config::AutoConf and it still doesn't work. It now fails to find Config::AutoConf::LMU, which is bundled, but it's looking for it here: stat("inc/inc_Capture-Tiny/inc/Config/AutoConf/LMU.pm", 0x7ffde5beee10) = -1 ENOENT (No such file or directory) (That is, inside "inc", inside the Capture::Tiny one, inside "inc".)

Fri Aug 19 01:38:42 2016 REHSACK [...] cpan.org - Correspondence added

There're 846 passed tests showing that it works in general - so I expect there is a local problem on your setup. Can you please verify whether "." is in your @INC: $ perl -MDDP -le 'p(@INC)' [ [0] "/foo/perl5/perlbrew/perls/perl-5.24.0/lib/site_perl/5.24.0/darwin-2level", [1] "/foo/perl5/perlbrew/perls/perl-5.24.0/lib/site_perl/5.24.0", [2] "/foo/perl5/perlbrew/perls/perl-5.24.0/lib/5.24.0/darwin-2level", [3] "/foo/perl5/perlbrew/perls/perl-5.24.0/lib/5.24.0", [4] "." ]

Fri Aug 19 01:38:43 2016 The RT System itself - Status changed from 'new' to 'open'

Fri Aug 19 02:42:30 2016 XSAWYERX [...] cpan.org - Correspondence added

On Fri Aug 19 01:38:42 2016, REHSACK wrote: Show quoted text

> There're 846 passed tests showing that it works in general - so I > expect there is a local problem on your setup. > > Can you please verify whether "." is in your @INC: > > $ perl -MDDP -le 'p(@INC)' > [ > [0] "/foo/perl5/perlbrew/perls/perl- > 5.24.0/lib/site_perl/5.24.0/darwin-2level", > [1] "/foo/perl5/perlbrew/perls/perl-5.24.0/lib/site_perl/5.24.0", > [2] "/foo/perl5/perlbrew/perls/perl-5.24.0/lib/5.24.0/darwin- > 2level", > [3] "/foo/perl5/perlbrew/perls/perl-5.24.0/lib/5.24.0", > [4] "." > ]

Ah. Indeed '.' is not in my @INC.

Fri Aug 19 04:25:32 2016 REHSACK [...] cpan.org - Correspondence added

On Fri Aug 19 02:42:30 2016, xsawyerx wrote: Show quoted text

> On Fri Aug 19 01:38:42 2016, REHSACK wrote:

> > There're 846 passed tests showing that it works in general - so I > > expect there is a local problem on your setup. > > > > Can you please verify whether "." is in your @INC: > > > > $ perl -MDDP -le 'p(@INC)' > > [ > > [0] "/foo/perl5/perlbrew/perls/perl- > > 5.24.0/lib/site_perl/5.24.0/darwin-2level", > > [1] "/foo/perl5/perlbrew/perls/perl-5.24.0/lib/site_perl/5.24.0", > > [2] "/foo/perl5/perlbrew/perls/perl-5.24.0/lib/5.24.0/darwin- > > 2level", > > [3] "/foo/perl5/perlbrew/perls/perl-5.24.0/lib/5.24.0", > > [4] "." > > ]

> > Ah. Indeed '.' is not in my @INC.

I proved 8 Operating Systems as well as a lot of platforms with distributions perl and perlbrewed, "." is always at the end of @INC. What's your special case and what is your suggestion to deal with it?

Fri Aug 19 08:26:58 2016 XSAWYERX [...] cpan.org - Correspondence added

On Fri Aug 19 04:25:32 2016, REHSACK wrote: Show quoted text

> On Fri Aug 19 02:42:30 2016, xsawyerx wrote:

> > On Fri Aug 19 01:38:42 2016, REHSACK wrote:

> > > There're 846 passed tests showing that it works in general - so I > > > expect there is a local problem on your setup. > > > > > > Can you please verify whether "." is in your @INC: > > > > > > $ perl -MDDP -le 'p(@INC)' > > > [ > > > [0] "/foo/perl5/perlbrew/perls/perl- > > > 5.24.0/lib/site_perl/5.24.0/darwin-2level", > > > [1] "/foo/perl5/perlbrew/perls/perl- > > > 5.24.0/lib/site_perl/5.24.0", > > > [2] "/foo/perl5/perlbrew/perls/perl-5.24.0/lib/5.24.0/darwin- > > > 2level", > > > [3] "/foo/perl5/perlbrew/perls/perl-5.24.0/lib/5.24.0", > > > [4] "." > > > ]

> > > > Ah. Indeed '.' is not in my @INC.

> > I proved 8 Operating Systems as well as a lot of platforms with > distributions perl and perlbrewed, "." is always at the end of @INC.

Thank you for quickly pin-pointing what has happened here. It didn't even occur to me! :) Show quoted text

> > What's your special case and what is your suggestion to deal with it?

'.' as last implicit entry in @INC has security considerations, so it removed in production here. Take into account that it's likely to be removed (as the last implicit entry in @INC) from core Perl in 5.26. What would happen if the appropriate loading module would call "use lib '.'". That will always work, even with a changed @INC entry in core, because it puts it at the beginning of @INC explicitly. Will that work? I'll be honest, I'm not sure which that is exactly. inc::latest, maybe?

Fri Aug 19 09:59:20 2016 rehsack [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #117036] Cannot load included Config::AutoConf
Date:	Fri, 19 Aug 2016 15:59:07 +0200
To:	bug-List-MoreUtils [...] rt.cpan.org
From:	Jens Rehsack <rehsack [...] gmail.com>

Show quoted text

> Am 19.08.2016 um 14:26 schrieb Sawyer X via RT <bug-List-MoreUtils@rt.cpan.org>: > > Queue: List-MoreUtils > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=117036 > > > On Fri Aug 19 04:25:32 2016, REHSACK wrote:

>> On Fri Aug 19 02:42:30 2016, xsawyerx wrote:

>>> On Fri Aug 19 01:38:42 2016, REHSACK wrote:

>>>> There're 846 passed tests showing that it works in general - so I >>>> expect there is a local problem on your setup. >>>> >>>> Can you please verify whether "." is in your @INC: >>>> >>>> $ perl -MDDP -le 'p(@INC)' >>>> [ >>>> [0] "/foo/perl5/perlbrew/perls/perl- >>>> 5.24.0/lib/site_perl/5.24.0/darwin-2level", >>>> [1] "/foo/perl5/perlbrew/perls/perl- >>>> 5.24.0/lib/site_perl/5.24.0", >>>> [2] "/foo/perl5/perlbrew/perls/perl-5.24.0/lib/5.24.0/darwin- >>>> 2level", >>>> [3] "/foo/perl5/perlbrew/perls/perl-5.24.0/lib/5.24.0", >>>> [4] "." >>>> ]

>>> >>> Ah. Indeed '.' is not in my @INC.

>> >> I proved 8 Operating Systems as well as a lot of platforms with >> distributions perl and perlbrewed, "." is always at the end of @INC.

> > Thank you for quickly pin-pointing what has happened here. It didn't even occur to me! :) >

>> >> What's your special case and what is your suggestion to deal with it?

> > '.' as last implicit entry in @INC has security considerations, so it removed in production here.

I fully agree, but adding a "use lib '.'" isn't that great solution :( Show quoted text

> Take into account that it's likely to be removed (as the last implicit entry in @INC) from core Perl in 5.26. > > What would happen if the appropriate loading module would call "use lib '.'". That will always work, even with a changed @INC entry in core, because it puts it at the beginning of @INC explicitly. Will that work?

Technically, yes - but I'm really happy that someone else than me added the security flaw. When "." will be removed, I rather intend to include the code snippet than adding "." to @INC myself. Show quoted text

> I'll be honest, I'm not sure which that is exactly. inc::latest, maybe?

inc::latest is code by xdg - he proposed using that than writing my own bundler ;) I agreed - and have no idea regarding the implications. Is there a blead without implicit "." out? Than I can prove how my configure stage will run there. Otherwise I have to build me an sawyer-flavoured-perl-5.24 :P Cheers -- Jens Rehsack - rehsack@gmail.com

Download signature.asc
application/pgp-signature 842b

Message body not shown because it is not plain text.

Fri Aug 19 17:23:05 2016 XSAWYERX [...] cpan.org - Correspondence added

On Fri Aug 19 09:59:20 2016, rehsack@gmail.com wrote: Show quoted text

> [...] > > Is there a > blead without implicit "." out? Than I can prove how my configure > stage will run there. Otherwise I have to build me an sawyer- > flavoured-perl-5.24 :P

Todd Rinaldo published patches to the list, but they weren't merged yet.

Sat Feb 18 16:47:56 2017 REHSACK [...] cpan.org - Correspondence added

I uploaded a new version to Github to let people have a comment before uploading it to CPAN. I resolved it as planned since beginning of 0.4xx series, but didn't found a tuit until today ;)

Sat Feb 18 16:48:02 2017 REHSACK [...] cpan.org - Status changed from 'open' to 'patched'

Tue Jul 11 08:17:55 2017 REHSACK [...] cpan.org - Status changed from 'patched' to 'resolved'

Tue Jul 11 08:17:55 2017 REHSACK [...] cpan.org - Fixed in 0.418 added