Skip Menu |

This queue is for tickets about the GnuPG-Interface CPAN distribution.

Report information
The Basics
Id: 133041
Status: open
Priority: 0/
Queue: GnuPG-Interface
People
Owner: Nobody in particular
Requestors: PUCK [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 1.00
Fixed in: (no value)
Attachments
detect-taint-mode
taint.t

History Show all quoted text
  Thu Jul 23 08:38:48 2020 PUCK [...] cpan.org - Ticket created
Subject: GnuPG::Interface causes programs running in Taint mode to fail due to $ENV{PATH} being tainted
Hey, After we uploaded GnuPG::Interface v1.0 to Debian, several Perl programs that run with Taint mode failed to run, for example: https://bugs.debian.org/964878 This is because GnuPG::Interface uses $ENV{PATH} which is tainted. I propose resolving this by detecting if Taint mode is enabled and un-setting the path. This requires that the full path to a gpg binary is provided. I'm resolving this in Debian by changing the default from 'gpg' to '/usr/bin/gpg'. The proposed patch (minus changing the default binary) is attached. Cheers, Andrew
Subject: detect-taint-mode
Download detect-taint-mode
application/octet-stream 496b

Message body not shown because it is not plain text.

  Thu Jul 23 17:54:11 2020 PUCK [...] cpan.org - Correspondence added
Attached is a test file to test that GnuPG::Interface can run in Taint mode.
Subject: taint.t
#!/usr/bin/perl -wT # # Ensure we can instatiate in Taint mode. Don't need to # do any work, as GnuPG::Interface runs the command we're going # to use to detect the version. use strict; use lib './t'; use MyTest; use GnuPG::Interface; my $gnupg; # See that we instantiate an object in Taint mode TEST { $gnupg = GnuPG::Interface->new( call => '/usr/bin/gpg' ); }; # See that version is set TEST { defined $gnupg->version; };
  Mon Aug 17 16:10:07 2020 dfs+pause [...] roaringpenguin.com - Correspondence added
Hi, I've applied a very similar patch to yours on this branch: https://github.com/bestpractical/gnupg-interface/tree/update-version-if-call-is-updated Does it fix it for you? Regards, Dianne.
  Mon Aug 17 16:10:08 2020 The RT System itself - Status changed from 'new' to 'open'
  Mon Aug 17 16:10:44 2020 dfs+pause [...] roaringpenguin.com - Correspondence added
Sorry, this is the wrong ticket; please ignore.