Bug #45556 for Term-ShellUI: Insecure dependency in open while running with -T switch

Wed Apr 29 09:50:00 2009 christian.kuelker [...] cipworx.org - Ticket created

Subject:

Insecure dependency in open while running with -T switch

Insecure dependency in open while running with -T switch at /usr/local/share/perl/5.8.8/Term/ShellUI.pm line 1888. Perl Version 5.8.8 Message pops up when saving history at the end of this test program after issuing "quit". (Workaround: comment out 'history_file'.) #!/usr/bin/perl -w -T #Insecure dependency in open while running with -T switch at /usr/local/share/perl/5.8.8/Term/ShellUI.pm line 1888. use strict; use warnings; use Term::ShellUI; delete @ENV{qw(PATH IFS CDPATH ENV BASH_ENV)}; # Make %ENV safe my $term = new Term::ShellUI( prompt => '> ', commands => { quit => { desc => 'Quit this program', maxargs => 0, method => sub { shift->exit_requested(1); }, } }, history_file => '~/.secure-history', ); print 'Using ' . $term->{term}->ReadLine . "\n"; $term->run();

Sun Mar 20 04:26:02 2011 BRONSON [...] cpan.org - Correspondence added

On Wed Apr 29 09:50:00 2009, ckuelker wrote: Show quoted text

> Insecure dependency in open while running with -T switch at > /usr/local/share/perl/5.8.8/Term/ShellUI.pm line 1888. > > Perl Version 5.8.8 > > Message pops up when saving history at the end of this test program > after issuing "quit". (Workaround: comment out 'history_file'.) > > delete @ENV{qw(PATH IFS CDPATH ENV BASH_ENV)}; # Make %ENV safe

... Show quoted text

> history_file => '~/.secure-history',

It's because you're specifying ~ in your history_file path, so Term::ShellUI needs to expand it to your home directory. Problem is, $ENV{HOME} is tainted. Either expand your history_file path before passing it to Term::ShellUI (history_file => "/home/bronson/.secure-history") or untaint $ENV{HOME}.

Sun Mar 20 04:26:03 2011 The RT System itself - Status changed from 'new' to 'open'

Tue May 17 21:15:17 2011 BRONSON [...] cpan.org - Status changed from 'open' to 'resolved'