| Subject: | Pod::Usage::pod2usage -- calling 'perldoc' on $0 is tainted, unsafe |
In version 1.16 of Pod::Usage -- and I see it is still extant in version 1.30 -- executing 'pod2usage (-verbose=>2)' w/in a 'taint enabled' (-T) script fails w/ the error "Insecure dependency in system while running with -T switch".
Sample program:
--->8--->8--- CUT HERE --->8--->8---
#!/usr/bin/perl -Tw
use strict ;
$ENV{'PATH'} = '/bin:/usr/bin' ;
### ($0) = $0 =~ /(.*)/ ; ### Detaint $0
use Pod::Usage ;
pod2usage (-verbose=>2) ;
__END__
=head1 NAME
bug - Demonstrate Pod::Usage bug
--->8--->8--- CUT HERE --->8--->8---
This is due to pod2usage trying to invoke 'perldoc' on $opts{"-input"}, which if otherwise unset, contains $0, the script file-path. (Note, this is after the understandable requirement to sanitize $ENV{PATH} is taken care of first.)
One could take the approach of de-tainting $0 -- and uncommenting the 'Detaint' line in the above script does this -- and this then works in the simple and usual case, but 'perldoc' isn't secure w/ an arbitrary file-path (at least in my current version; a separate bug).
Eg, in the above example, try uncommenting the 'Detaint' line, copying the script to the oddly-named file 'a;b', and then running it. I get results like:
proteus #] cp bug a\;b
proteus #] ./a\;b
Can't open ./a for reading: No such file or directory
at /usr/bin/pod2man line 60
sh: b: command not found
Got a 0-length file from ./a;b via Pod::Perldoc::ToMan!?
So... should Pod::Usage::pod2usage really be invoking 'perldoc'?
This all is running on a RedHat Enteprise WS 4 system, w/ perl v5.8.5,
and Pod::Usage v1.16 (perldoc v3.13 if that's relevant for part two)