Bug #90512 for Devel-FindPerl: if $ENV (respectively $ENV{ENV}) is set, t/11-tainted.t fails

Tue Nov 19 07:03:05 2013 TINITA [...] cpan.org - Ticket created

Subject:

if $ENV (respectively $ENV{ENV}) is set, t/11-tainted.t fails

On some systems/shells $ENV has content, for example "/etc/bash.bashrc" In the module, you clean $ENV{PATH}, but not $ENV{ENV}. so the test fails: ENV=bla prove -Ilib t/11-tainted.t ... Insecure $ENV{ENV} while running with -T switch ... Only unset ENV helps. perlsec says: Show quoted text

> Because some shells may use the variables IFS, CDPATH, ENV, and BASH_ENV, Perl checks > that those are > either empty or untainted when starting subprocesses. You may wish to add something > like this to your setid and taint-checking scripts. > > delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # Make %ENV safer

thanks, tina

Tue Nov 19 09:09:05 2013 LEONT [...] cpan.org - Correspondence added

On Tue Nov 19 07:03:05 2013, TINITA wrote: Show quoted text

> On some systems/shells $ENV has content, for example > "/etc/bash.bashrc" > > In the module, you clean $ENV{PATH}, but not $ENV{ENV}. so the test > fails: > > ENV=bla prove -Ilib t/11-tainted.t > ... > Insecure $ENV{ENV} while running with -T switch > ... > > Only > > unset ENV > > helps. > > perlsec says:

> > Because some shells may use the variables IFS, CDPATH, ENV, and > > BASH_ENV, Perl checks > that those are > > either empty or untainted when starting subprocesses. You may wish to > > add something > like this to your setid and taint-checking scripts. > > > > delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # Make %ENV safer

> > thanks, > tina

Hi Tina. Thanks for your bugreport. I just misread $ENV{ENV} as $ENV{PATH} and was like "WTF is going on there?", it seems reading is difficult :-/ Just released Devel::FindPerl 0.011, which should fix this. Leon

Tue Nov 19 09:09:05 2013 The RT System itself - Status changed from 'new' to 'open'

Tue Nov 19 09:09:06 2013 LEONT [...] cpan.org - Status changed from 'open' to 'resolved'