Bug #30126 for Data-FormValidator: untaint.t fails to add -I entries for PERL5LIB

Fri Oct 19 14:33:47 2007 mst [...] shadowcatsystems.co.uk - Ticket created

Subject:	untaint.t fails to add -I entries for PERL5LIB
Date:	Fri, 19 Oct 2007 19:33:14 +0100
To:	bug-Data-FormValidator [...] rt.cpan.org
From:	Matt S Trout <mst [...] shadowcatsystems.co.uk>

This results in untaint.pl being unable to find Perl6::Junction if it isn't installed system-wide and thus the test fails. Please look at Test::Harness for an example of code unrolling PERL5LIB into -I statements, specifically to ensure .t files get the appropriate library path when using taint mode. This causes test failures for any user attempting to install to a ~/ lib path for example and thus makes Data::FormValidator uninstallable without force for any user on shared hosting, or developers attempting to maintain a private lib to reduce system installation requirements. -- Matt S Trout Need help with your Catalyst or DBIx::Class project? Technical Director http://www.shadowcat.co.uk/catalyst/ Shadowcat Systems Ltd. Want a managed development or deployment platform? http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/

Fri Oct 19 15:02:29 2007 mark [...] summersault.com - Correspondence added

Subject:	Re: [rt.cpan.org #30126] untaint.t fails to add -I entries for PERL5LIB
Date:	Fri, 19 Oct 2007 15:03:08 -0400
To:	bug-Data-FormValidator [...] rt.cpan.org
From:	Mark Stosberg <mark [...] summersault.com>

On Friday 19 October 2007 14:33, Matt S Trout via RT wrote: Show quoted text

> > This results in untaint.pl being unable to find Perl6::Junction if it > isn't installed system-wide and thus the test fails. > > Please look at Test::Harness for an example of code unrolling > PERL5LIB into -I statements, specifically to ensure .t files get the > appropriate library path when using taint mode. > > This causes test failures for any user attempting to install to a ~/ > lib path for example and thus makes Data::FormValidator uninstallable > without force for any user on shared hosting, or developers > attempting to maintain a private lib to reduce system installation > requirements.

Matt, Thanks for the clear report explaining the issue. I plan to address it. A patch would be welcome, or I'll get it to myself eventually. Mark

Fri Oct 19 15:03:19 2007 The RT System itself - Status changed from 'new' to 'open'

Fri Oct 19 15:17:52 2007 mst [...] shadowcatsystems.co.uk - Correspondence added

Subject:	Re: [rt.cpan.org #30126] untaint.t fails to add -I entries for PERL5LIB
Date:	Fri, 19 Oct 2007 20:16:38 +0100
To:	"mark [...] summersault.com via RT" <bug-Data-FormValidator [...] rt.cpan.org>
From:	Matt S Trout <mst [...] shadowcatsystems.co.uk>

On Fri, Oct 19, 2007 at 03:03:59PM -0400, mark@summersault.com via RT wrote: Show quoted text

> > <URL: http://rt.cpan.org/Ticket/Display.html?id=30126 > > > On Friday 19 October 2007 14:33, Matt S Trout via RT wrote:

> > > > This results in untaint.pl being unable to find Perl6::Junction if it > > isn't installed system-wide and thus the test fails. > > > > Please look at Test::Harness for an example of code unrolling > > PERL5LIB into -I statements, specifically to ensure .t files get the > > appropriate library path when using taint mode. > > > > This causes test failures for any user attempting to install to a ~/ > > lib path for example and thus makes Data::FormValidator uninstallable > > without force for any user on shared hosting, or developers > > attempting to maintain a private lib to reduce system installation > > requirements.

> > Matt, > > Thanks for the clear report explaining the issue. I plan to address it. > A patch would be welcome, or I'll get it to myself eventually.

My preference would be to replace the body of the test with - my @args = ( '-I./lib', ( (defined($ENV{PERL5LIB}) && length($ENV{PERL5LIB})) ? (map { "-I$_" } split(/:/, $ENV{PERL5LIB})) : () ), '-T', './t/untaint.pl', qw(Jim Beam jim@foo.bar james@bar.foo 132.10.10.2 Monroe Rufus 12345 oops 0) ); # We use $^X to make it easier to test with different versions of Perl. -mls system($^X, @args); (not done as a diff because, well, there didn't seem to be much point) -- Matt S Trout Need help with your Catalyst or DBIx::Class project? Technical Director http://www.shadowcat.co.uk/catalyst/ Shadowcat Systems Ltd. Want a managed development or deployment platform? http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/

Fri Oct 19 15:22:04 2007 mark [...] summersault.com - Correspondence added

Subject:	Re: [rt.cpan.org #30126] untaint.t fails to add -I entries for PERL5LIB
Date:	Fri, 19 Oct 2007 15:23:00 -0400
To:	bug-Data-FormValidator [...] rt.cpan.org
From:	Mark Stosberg <mark [...] summersault.com>

Show quoted text

> > My preference would be to replace the body of the test with - > > my @args = ( > '-I./lib', > ( (defined($ENV{PERL5LIB}) && length($ENV{PERL5LIB})) > ? (map { "-I$_" } split(/:/, $ENV{PERL5LIB})) > > : () > > ), > '-T', > './t/untaint.pl', > qw(Jim Beam jim@foo.bar james@bar.foo > 132.10.10.2 Monroe Rufus 12345 oops 0) > ); > > # We use $^X to make it easier to test with different versions of > Perl. -mls system($^X, @args); > > (not done as a diff because, well, there didn't seem to be much > point)

Excellent. Thank you Matt! Mark

Fri Oct 19 15:43:11 2007 mark [...] summersault.com - Correspondence added

Subject:	Re: [rt.cpan.org #30126] untaint.t fails to add -I entries for PERL5LIB
Date:	Fri, 19 Oct 2007 15:44:09 -0400
To:	bug-Data-FormValidator [...] rt.cpan.org
From:	Mark Stosberg <mark [...] summersault.com>

OK, I've sent 4.52 to CPAN with this fix. It is temporarily also available here: http://mark.stosberg.com/perl/Data-FormValidator-4.52.tar.gz I gave you credit in the Changes file. Thanks again Matt! Mark

Sat Oct 20 14:44:43 2007 MARKSTOS [...] cpan.org - Correspondence added

released fix.

Sat Oct 20 14:44:46 2007 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'

Bug #30126 for Data-FormValidator: untaint.t fails to add -I entries for PERL5LIB

Maintainer(s)' notes