Skip Menu |

This queue is for tickets about the Perl-Dist-Strawberry CPAN distribution.

Report information
The Basics
Id: 132264
Status: new
Priority: 0/
Queue: Perl-Dist-Strawberry

People
Owner: Nobody in particular
Requestors: jkeenan [...] pobox.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



CC: aero <chahkang [...] gmail.com>, MITHALDU [...] cpan.org, Leon Timmermans <fawaka [...] gmail.com>
Subject: Strawberry Perl Portable edition reports Perl's executable's path is tainted
Date: Sun, 29 Mar 2020 13:51:35 -0400
To: bug-Perl-Dist-Strawberry [...] rt.cpan.org
From: James E Keenan <jkeenan [...] pobox.com>
In taint mode, run the program attached, taint.pl, in both Strawberry Perl MSI edition and Strawberry Perl Portable. According to the reports I have received, in the MSI edition (much like any other perl executable I've encountered) taint.pl reports: ##### Path to perl executable ... is clean ##### But in Strawberry Perl Portable, we are seeing the unexpected result: ##### Path to perl executable ... is tainted ##### Data: 1. http://www.cpantesters.org/cpan/report/90ddbb30-6d47-1014-bf40-0f5b8c5614d5 I followed up on this CPANtesters report with the tester, who reported running Strawberry Perl 5.28 Portable edition. We subsequently reduced the failures in IPC-System-Simple's t/taint.t to the program attached to this bug report. The reporter got the perl-executable-path "tainted" result -- and continued to do so even when the PATH envvar was substantially trimmed down (details upon request). 2. irc.perl.org #p5p Sun Mar 29 2020 I discussed this problem on IRC with Mithaldu, grinnz, genio, leont and others. Mithaldu reproduced the problem with Strawberry Perl 5.30 Portable edition. He has both a "regular" Strawberry Perl installed on his C drive and a Portable edition installed on his D drive. Running 'perl -T taint.pl', he got "clean" on the C drive but "tainted" on the D drive. Analysis: Leon T speculated: "Clearly, because Portable does some munging with %Config, and as a side-effect perlpath is now tainted. ... I'm not even sure if it's a bug or a feature that it does this. ... It sets perlpath to a helpful value, but it can't do that securely (by taint's definition of secure)." Ask: Can the Strawberry Perl team shed any light on this? A subsidiary question: Is there any way to distinguish whether a given Strawberry Perl is "regular" or Portable? Note: I don't have Strawberry Perl or Windows myself. I'm reporting this simply because I'm co-maint on IPC-System-Simple, where this problem was first observed. Thank you very much. Jim Keenan

Message body is not shown because sender requested not to inline it.