Skip Menu |

This queue is for tickets about the Lingua-Any-Numbers CPAN distribution.

Report information
The Basics
Id: 80084
Status: resolved
Priority: 0/
Queue: Lingua-Any-Numbers
People
Owner: Nobody in particular
Requestors: user42 [...] zip.com.au
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Oct 09 17:48:13 2012 user42 [...] zip.com.au - Ticket created
Subject: taint mode
Date: Wed, 10 Oct 2012 08:46:54 +1100
To: bug-Lingua-Any-Numbers [...] rt.cpan.org
From: Kevin Ryde <user42 [...] zip.com.au>
With recent debian i386 perl 5.14.2 running perl -T -MLingua::Any::Numbers gets an error An error occurred while including sub modules: Insecure dependency in require while running with -T switch at /usr/share/perl5/Lingua/Any/Numbers.pm line 159. where I thought perhaps Lingua::Any::Numbers might be used in taint mode. The clearest case would be a to_string() with the $lang language untainted and all of @INC untainted, I think that could load and convert etc. Not sure what ought to happen if there's some taintedness. Maybe a tainted language name or @INC directory name should die to protect against arbitrary code execution. Or perhaps if the language name looks valid then it could load but its taintedness propagate onto each to_string() return ...
  Tue Oct 23 19:41:12 2012 burak [...] cpan.org - Correspondence added
09 Eki 2012 Sal, 17:48:13 tarihinde, user42@zip.com.au yazdı: Show quoted text
> With recent debian i386 perl 5.14.2 running > > perl -T -MLingua::Any::Numbers > > gets an error > > An error occurred while including sub modules: Insecure dependency > in require while running with -T switch at > /usr/share/perl5/Lingua/Any/Numbers.pm line 159. > > where I thought perhaps Lingua::Any::Numbers might be used in taint > mode. > > The clearest case would be a to_string() with the $lang language > untainted and all of @INC untainted, I think that could load and > convert > etc. > > Not sure what ought to happen if there's some taintedness. Maybe a > tainted language name or @INC directory name should die to protect > against arbitrary code execution. Or perhaps if the language name > looks > valid then it could load but its taintedness propagate onto each > to_string() return ...
Hi, This is fixed in v0.45 which will arrive into CPAN mirrors shortly. Thanks, Burak
  Tue Oct 23 19:41:13 2012 The RT System itself - Status changed from 'new' to 'open'
  Tue Oct 23 19:41:13 2012 burak [...] cpan.org - Status changed from 'open' to 'resolved'