Subject: | Taint problem in Archive::Zip::Member |
Programs calling Archive::Zip::Member when under -T taint mode get an
insecure dependency error.
I've replicated this by modifying t/10_chmod.t's shebang to read:
#!/usr/bin/env perl -T
Then prove -l t/10-chmod.t produces:
t/10_chmod.t .. Insecure dependency in chmod while running with -T
switch at /usr/local/src/Archive-Zip-1.30/lib/Archive/Zip/Member.pm line
490.
There's another ticket, #42035, which reports this issue as being in
Strawberry perl, but it's also happening on my platform which is perl
5.12.2 on Linux server18.netring.co.uk 2.6.18-194.17.1.el5. This is a
custom perl built from source and compiled int /opt/perl5/.
I'm more than happy to help resolving this issue - I've spent some time
on it but I haven't figured it out yet. The error producing bit is:
chmod ($self->unixFileAttributes(), $name)
or return _error("Can't chmod() ${name}: $!");
It seems to be $self->unixFileAttributes() which is causing the taint
error, rather than $name. I've tried to see where that's getting set
from something tainted but haven't been able to spot it.