Skip Menu |

This queue is for tickets about the Module-Pluggable CPAN distribution.

Report information
The Basics
Id: 12746
Status: resolved
Priority: 0/
Queue: Module-Pluggable
People
Owner: simonw [...] cpan.org
Requestors: claco [...] chrislaco.com
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 2.8
Fixed in: (no value)
Attachments
patch
Pluggable.pm.patch

History Show all quoted text
  Tue May 10 14:29:19 2005 Guest - Ticket created
Subject: Insecure dependency errors on taint mode
When running M::P 2.8 under taint mode, "Insecure dependency" errors crop up if you use instantiate (and possible require) at line 314/325. This crude change fixes the problem: if (defined $opts{'instantiate'} || $opts{'require'}) { if ($plugin =~ /^(.*)$/) { $plugin = $1; }; eval "CORE::require $plugin"; carp "Couldn't require $plugin : $@" if $@; }
  Sat May 28 14:30:54 2005 claco [...] cpan.org - Correspondence added
From: CLACO
Here's something a little more sane. I just replaced the next/.pm check with the untaint version and everything past that is happy. -=Chris
--- Pluggable.pm.orig Fri Mar 18 09:33:56 2005 +++ Pluggable.pm Sat May 28 14:22:28 2005 @@ -287,7 +287,6 @@ # if it doesn't exist or it's not a dir then skip it next unless ( -e $sp && -d _ ); # Use the cached stat the second time - # find all the .pm files in it # this isn't perfect and won't find multiple plugins per file #my $cwd = Cwd::getcwd; @@ -303,7 +302,10 @@ # foreach one we've found foreach my $file (@files) { - next unless $file =~ m!\.pm$!; + # untaint file accepting .pm only + if ($file =~ /(.*\.pm)/) { + $file = $1; + } else {next}; # parse the file to get the name my ($name, $directory) = fileparse($file, qr{\.pm}); $directory = abs2rel($directory, $sp); @@ -431,6 +433,5 @@ } return @packs; } - 1;
  Mon Jun 06 10:53:08 2005 simonw [...] cpan.org - Correspondence added
I'll try and get a new version out this week
  Fri Jun 24 18:11:18 2005 mcmahon [...] cpan.org - Correspondence added
[SIMONW - Mon Jun 6 10:53:08 2005]: Show quoted text
> I'll try and get a new version out this week
Same problem here - thanks.
  Fri Jun 24 18:11:54 2005 mcmahon [...] cpan.org - Correspondence added
[SIMONW - Mon Jun 6 10:53:08 2005]: Show quoted text
> I'll try and get a new version out this week
Same problem here - thanks.
  Fri Jun 24 18:22:48 2005 mcmahon [...] cpan.org - Correspondence added
[CLACO - Sat May 28 14:30:54 2005]: Show quoted text
> Here's something a little more sane. I just replaced the next/.pm > check > with the untaint version and everything past that is happy. > > -=Chris
I made a slight modifiaction to the patch: # untaint the file; accept .pm only next unless ($file) = ($file =~ /(.*\.pm)$/); This catches a file that has .pm, but not actually at the end.
  Fri Jun 24 19:55:35 2005 mcmahon [...] cpan.org - Correspondence added
I also found a taint occurring in the call to fileparse(). I've attached a patch that also catches this, and have updated all of the tests (adding -T to the shebang line) to ensure that the new code actually handles taint properly in all of the tested cases.
Download patch
application/octet-stream 8.7k

Message body not shown because it is not plain text.

  Sat Jul 09 08:21:56 2005 simonw [...] cpan.org - Correspondence added
Fixed in 2.9 Thanks for the help and patches
  Sat Jul 09 08:21:57 2005 simonw [...] cpan.org - Given to SIMONW
  Sat Jul 09 08:21:57 2005 simonw [...] cpan.org - Status changed from 'new' to 'resolved'