Skip Menu |

This queue is for tickets about the Module-Metadata CPAN distribution.

Maintainer(s)' notes

Attention bug reporters: issues MUST include the version of Module::Metadata that you are running that exhibit the stated symptoms. thank you!

Report information
The Basics
Id: 89283
Status: open
Priority: 0/
Queue: Module-Metadata
People
Owner: ether [...] cpan.org
Requestors: dagolden [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Sun Oct 06 14:08:25 2013 dagolden [...] cpan.org - Ticket created
Subject: Eval $VERSION line in Safe compartment
We don't and we should.
  Sat Dec 14 16:05:51 2013 jkeenan [...] cpan.org - Correspondence added
I'm adding a reference to Perl 5's RT #115370. The gist of that ticket: ##### $ perl -T -e'use IPC::Cmd;IPC::Cmd->can_use_ipc_open3();' Insecure dependency in eval while running with -T switch at /usr/local/lib/perl5/5.18.0/Module/Metadata.pm line 631, <GEN3> line 14. ##### My diagnosis: https://rt.perl.org/Ticket/Display.html?id=115370#txn-1272238 Please let me know what you think. Thank you very much. Jim Keenan
  Sat Dec 14 16:05:53 2013 The RT System itself - Status changed from 'new' to 'open'
  Sat Dec 14 16:05:53 2013 jkeenan [...] cpan.org - Reference to perl ticket #115370 added
  Sat Dec 14 20:25:44 2013 dagolden [...] cpan.org - Correspondence added
Subject: Re: [rt.cpan.org #89283] Eval $VERSION line in Safe compartment
Date: Sat, 14 Dec 2013 20:25:02 -0500
To: bug-Module-Metadata [...] rt.cpan.org
From: David Golden <dagolden [...] cpan.org>
I'm not sure that even a Safe compartment is safe enough if someone has taint mode enabled. There's no way to know that the line of code being evaled isn't malicious in some way. As safe as we can make it, if someone wants taint mode, then evaling $VERSION lines should be fatal by default. The tricky thing with the perlbug ticket is that "can_load" would load this "unsafe" code anyway if there weren't a $VERSION check, so the existence of a $VERSION check doesn't make it any safer. I suspect that to accommodate this, Module::Metadata would need an option to blanket untaint the $VERSION line and then code like can_load that is intentionally going to do something unsafe later anyway can set the unsafe mode to avoid the taint check.
  Mon Dec 16 15:28:02 2013 thaljef [...] cpan.org - Correspondence added
Show quoted text
> Eval $VERSION line in Safe compartment
Yes, please!
  Sat Jan 25 19:33:15 2014 jkeenan [...] cpan.org - Correspondence added
On Sat Dec 14 16:05:51 2013, JKEENAN wrote: Show quoted text
> I'm adding a reference to Perl 5's RT #115370. The gist of that > ticket: > > ##### > $ perl -T -e'use IPC::Cmd;IPC::Cmd->can_use_ipc_open3();' > Insecure dependency in eval while running with -T switch at > /usr/local/lib/perl5/5.18.0/Module/Metadata.pm line 631, <GEN3> line > 14. > ##### > > My diagnosis: > > https://rt.perl.org/Ticket/Display.html?id=115370#txn-1272238 > > Please let me know what you think. >
Module-Metadata folks: Have you had a chance to look at this problem? Thank you very much. Jim Keenan
  Tue Feb 18 13:30:30 2014 ether [...] cpan.org - Correspondence added
Subject: Re: [rt.cpan.org #89283] Eval $VERSION line in Safe compartment
Date: Tue, 18 Feb 2014 10:30:20 -0800
To: James E Keenan via RT <bug-Module-Metadata [...] rt.cpan.org>
From: Karen Etheridge <ether [...] cpan.org>
On Sat, Jan 25, 2014 at 07:33:16PM -0500, James E Keenan via RT wrote: Show quoted text
> Module-Metadata folks: Have you had a chance to look at this problem?
It's on my agenda for the Lyon hackathon; I need to discuss this a bit to understand all the issues.
  Sat Mar 15 18:39:31 2014 ether [...] cpan.org - Correspondence added
On 2014-02-18 10:30:30, ETHER wrote: Show quoted text
> It's on my agenda for the Lyon hackathon; I need to discuss this a bit to > understand all the issues.
Now implemented in https://github.com/Perl-Toolchain-Gang/Module-Metadata/pull/1
  Sun Apr 12 20:16:38 2015 ether [...] cpan.org - Taken