Skip Menu |

This queue is for tickets about the FindBin-libs CPAN distribution.

Report information
The Basics
Id: 46806
Status: resolved
Worked: 30 min
Priority: 0/
Queue: FindBin-libs
People
Owner: LEMBARK [...] cpan.org
Requestors: redneb [...] gmx.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Jun 09 14:23:01 2009 redneb [...] gmx.com - Ticket created
Subject: Cannot use FindBin::libs under taint mode
Date: Tue, 9 Jun 2009 14:22:26 -0400
To: bug-FindBin-libs [...] rt.cpan.org
From: redneb [...] gmx.com
When I try to execute a perl script with the -T switch I get the following error: Insecure dependency in eval while running with -T switch at /usr/lib/perl5/vendor_perl/5.8.8/FindBin/libs.pm line 358. BEGIN failed--compilation aborted at -e line 1.
  Tue Jun 09 15:51:54 2009 LEMBARK [...] cpan.org - Taken
  Tue Jun 09 17:12:21 2009 LEMBARK [...] cpan.org - Correspondence added 20 min
On Tue Jun 09 14:23:01 2009, redneb@gmx.com wrote: Show quoted text
> When I try to execute a perl script with the -T switch I get the > following error: > > Insecure dependency in eval while running with -T switch at > /usr/lib/perl5/vendor_perl/5.8.8/FindBin/libs.pm line 358. > BEGIN failed--compilation aborted at -e line 1.
This is due to a text eval of: "package $caller; use libs qw( @libs_found )" to push the lib's into the caller's space. I've replaced the eval with: require lib; lib->import( @libz ) Quick check: $ perl -T t/03.t Found */bin: /sandbox/lembark/Modules/Findbin-libs/bin /bin 1..2 ok 1 - @lib exported ok 2 - @bin exported so that seems to have fixed the problem.
  Tue Jun 09 17:12:24 2009 The RT System itself - Status changed from 'new' to 'open'
  Tue Jun 09 17:12:30 2009 LEMBARK [...] cpan.org - Status changed from 'open' to 'resolved'
  Wed Jun 10 02:20:53 2009 redneb [...] gmx.com - Correspondence added
Subject: Re: [rt.cpan.org #46806] Resolved: Cannot use FindBin::libs under taint mode
Date: Wed, 10 Jun 2009 02:20:27 -0400
To: Steven Lembark via RT <bug-FindBin-libs [...] rt.cpan.org>
From: redneb [...] gmx.com
I just checked 1.38 under -T and there is now a very weird new (but related) bug. When I try perl -Twe 'use FindBin::libs qw(base=perllib); use CGI;' I get an error: Insecure dependency in require while running with -T switch at -e line 1. BEGIN failed--compilation aborted at -e line 1. On the other hand, the following: perl -Twe 'use lib "/path/to/perllib"; use CGI' works just fine. This is strange because in both cases the contents of @INC are the same.
  Wed Jun 10 02:20:54 2009 The RT System itself - Status changed from 'resolved' to 'open'
  Wed Jun 10 02:47:36 2009 redneb [...] gmx.com - Correspondence added
Subject: Re: [rt.cpan.org #46806] Resolved: Cannot use FindBin::libs under taint mode
Date: Wed, 10 Jun 2009 02:47:15 -0400
To: Steven Lembark via RT <bug-FindBin-libs [...] rt.cpan.org>
From: redneb [...] gmx.com
Ok, there is a simple explanation for this problem. When use FindBin::libs qw(base=perllib) pushes "/path/to/perllib" into @INC, the string being pushed is tainted. So it must be untainted first, and then pushed into @INC. To verify this, I tried the following: perl -Twe 'use FindBin::libs qw(base=perllib); BEGIN {for(@INC){/(.*)/; $_=$1}} use CGI;' and it works just fine. Of course this is an overkill since it is untaints the entire @INC and not just the new elements. On Wed, Jun 10, 2009 at 02:20:27AM -0400, redneb@gmx.com wrote: Show quoted text
> I just checked 1.38 under -T and there is now a very weird new (but > related) bug. When I try > > perl -Twe 'use FindBin::libs qw(base=perllib); use CGI;' > > I get an error: > > Insecure dependency in require while running > with -T switch at -e line 1. > BEGIN failed--compilation aborted at -e line 1. > > On the other hand, the following: > > perl -Twe 'use lib "/path/to/perllib"; use CGI' > > works just fine. This is strange because in both cases the contents of > @INC are the same.
  Wed Jun 10 07:15:10 2009 lembark [...] wrkhors.com - Correspondence added
Subject: Re: [rt.cpan.org #46806] Resolved: Cannot use FindBin::libs under taint mode
Date: Wed, 10 Jun 2009 07:14:43 -0400
To: bug-FindBin-libs [...] rt.cpan.org
From: Steven Lembark <lembark [...] wrkhors.com>
On Wed, 10 Jun 2009 02:47:37 -0400 "redneb via RT" <bug-FindBin-libs@rt.cpan.org> wrote: Show quoted text
> Queue: FindBin-libs > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=46806 > > > Ok, there is a simple explanation for this problem. When > > use FindBin::libs qw(base=perllib) > > pushes "/path/to/perllib" into @INC, the string being pushed is > tainted. So it must be untainted first, and then pushed into @INC. > To verify this, I tried the following: > > perl -Twe 'use FindBin::libs qw(base=perllib); BEGIN > {for(@INC){/(.*)/; $_=$1}} use CGI;' > > and it works just fine. Of course this is an overkill since it is > untaints the entire @INC and not just the new elements.
I can use an untaint hack on the lib's I find before passing them into lib->import(). This is a pure hack, however, given that I'm doing nada to actually check anything via the regex. -- Steven Lembark 85-09 90th St. Workhorse Computing Woodhaven, NY, 11421 lembark@wrkhors.com +1 888 359 3508
  Wed Jun 10 07:23:00 2009 lembark [...] wrkhors.com - Correspondence added
Subject: Re: [rt.cpan.org #46806] Resolved: Cannot use FindBin::libs under taint mode
Date: Wed, 10 Jun 2009 07:22:30 -0400
To: bug-FindBin-libs [...] rt.cpan.org
From: Steven Lembark <lembark [...] wrkhors.com>
On Wed, 10 Jun 2009 02:47:37 -0400 "redneb via RT" <bug-FindBin-libs@rt.cpan.org> wrote: Show quoted text
> Queue: FindBin-libs > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=46806 > > > Ok, there is a simple explanation for this problem. When > > use FindBin::libs qw(base=perllib) > > pushes "/path/to/perllib" into @INC, the string being pushed is > tainted. So it must be untainted first, and then pushed into @INC. > To verify this, I tried the following: > > perl -Twe 'use FindBin::libs qw(base=perllib); BEGIN > {for(@INC){/(.*)/; $_=$1}} use CGI;' > > and it works just fine. Of course this is an overkill since it is > untaints the entire @INC and not just the new elements.
--- lib/FindBin/libs.pm (revision 286) +++ lib/FindBin/libs.pm (working copy) @@ -198,6 +198,11 @@ pop @dirpath } + # HAK ALERT: the regex does nothing for security, + # just dodges -T. + + @libz = map { m{ (.+) }x } @libz; + # caller gets back the existing lib paths # (including volume) walking up the path # from $FindBin::Bin -> root. -- Steven Lembark 85-09 90th St. Workhorse Computing Woodhaven, NY, 11421 lembark@wrkhors.com +1 888 359 3508
  Tue Aug 11 11:31:52 2009 LEMBARK [...] cpan.org - Correspondence added 10 min
No further replies, assuming the fix worked.
  Tue Aug 11 11:31:53 2009 LEMBARK [...] cpan.org - Status changed from 'open' to 'resolved'