Bug #81077 for Module-Find: useall fails in taint mode

Fri Nov 09 11:34:15 2012 adeltac [...] rent.com - Ticket created

Subject:	useall fails in taint mode
Date:	Fri, 9 Nov 2012 16:34:02 +0000
To:	"bug-Module-Find [...] rt.cpan.org" <bug-Module-Find [...] rt.cpan.org>
From:	"Deltac, Aran" <adeltac [...] rent.com>

The errors is: Insecure dependency in eval while running with -T switch at /usr/local/lib/perl5/vendor_perl/5.8.9/Module/Find.pm line 146. The fix is something like this: sub useall(*) { $prune = 0; my @r = _find($_[0]); foreach my $m (@r) { + if ($m =~ m{^([^:\s]+(?:::[^:\s]+)+)$}) { eval " require $1; import $1; "; die $@ if $@; + } else { die "$m doesn't look like a module name" } } return @r; } I expect there is other code in Module::Find that is similarly taint-unsafe and needs fixing. I personally wouldn't use taint mode, but I work on a large codebase that depends on it and we just introduced Module::Find to simplify some stuff and had to introduce an ugly hack to get around this issue.

Sat Jul 20 11:09:57 2013 lxp [...] cpan.org - Broken in 0.11 added

Fri Feb 07 02:23:18 2014 crenz [...] cpan.org - Correspondence added

Thank you for your contribution, and your patience. This should be fixed in v0.12 now. I have included your suggested changes.

Fri Feb 07 02:23:18 2014 The RT System itself - Status changed from 'new' to 'open'

Fri Feb 07 02:23:18 2014 crenz [...] cpan.org - Status changed from 'open' to 'resolved'

Fri Feb 07 02:23:18 2014 crenz [...] cpan.org - Taken

Fri Feb 07 02:23:19 2014 crenz [...] cpan.org - Fixed in 0.12 added