Skip Menu |
Report information
Id: 133138
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: slaven [at] rezic.de
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)



To: perlbug [...] perl.org
From: slaven [...] rezic.de
Subject: Blead Breaks CPAN: TOBYINK/Alt-Module-Runtime-ButEUMM-0.001.tar.gz
CC: srezic [...] cpan.org
Date: Sat, 21 Apr 2018 12:26:01 +0200
Download (untitled) / with headers
text/plain 3.5k
This is a bug report for perl from slaven@rezic.de, generated with the help of perlbug 1.41 running under perl 5.27.11. ----------------------------------------------------------------- t/taint.t fails since perl 5.27.5 (I did not notice earlier because I usually don't test Alt::* modules): ... # Failed test at t/taint.t line 16. # '' # doesn't match '(?^:\AInsecure dependency )' # Failed test at t/taint.t line 18. # '' # doesn't match '(?^:\AInsecure dependency )' # Failed test at t/taint.t line 20. # '' # doesn't match '(?^:\AInsecure dependency )' # Looks like you failed 3 tests of 5. t/taint.t ........... Dubious, test returned 3 (wstat 768, 0x300) Failed 3/5 subtests ... ----------------------------------------------------------------- --- Flags: category=core severity=low --- Site configuration information for perl 5.27.11: Configured by eserte at Fri Apr 20 21:45:30 CEST 2018. Summary of my perl5 (revision 5 version 27 subversion 11) configuration: Platform: osname=linux osvers=3.16.0-4-amd64 archname=x86_64-linux uname='linux cabulja 3.16.0-4-amd64 #1 smp debian 3.16.51-3 (2017-12-13) x86_64 gnulinux ' config_args='-ds -e -Dprefix=/opt/perl-5.27.11 -Dusedevel -Dusemallocwrap=no -Dcf_email=srezic@cpan.org' hint=recommended useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define bincompat5005=undef Compiler: cc='cc' ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-O2' cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.9.2' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='cc' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/4.9/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.19.so so=so useshrplib=false libperl=libperl.a gnulibc_version='2.19' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector-strong' --- @INC for perl 5.27.11: /opt/perl-5.27.11/lib/site_perl/5.27.11/x86_64-linux /opt/perl-5.27.11/lib/site_perl/5.27.11 /opt/perl-5.27.11/lib/5.27.11/x86_64-linux /opt/perl-5.27.11/lib/5.27.11 --- Environment for perl 5.27.11: HOME=/home/eserte LANG=en_US.UTF-8 LANGUAGE (unset) LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/eserte/bin/linux-gnu:/home/eserte/bin/sh:/home/eserte/bin:/home/eserte/bin/pistachio-perl/bin:/usr/games:/home/eserte/devel PERLDOC=-MPod::Perldoc::ToTextOverstrike PERL_BADLANG (unset) SHELL=/bin/zsh
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 421b
On Sat, 21 Apr 2018 03:26:38 -0700, slaven@rezic.de wrote: Show quoted text
> t/taint.t fails since perl 5.27.5 (I did not notice earlier > because I usually don't test Alt::* modules):
0cbfaef69bb7fd07d9ececee9c76bd53c15eb888 is the first bad commit commit 0cbfaef69bb7fd07d9ececee9c76bd53c15eb888 Author: Nicolas R <atoomic@cpan.org> Date: Tue Sep 26 18:07:47 2017 -0500 pp_require: return earlier when module is already loaded
Date: Sat, 21 Apr 2018 14:59:00 +0100
To: Sergey Aleynikov via RT <perlbug-followup [...] perl.org>
CC: perl5-porters [...] perl.org
Subject: Re: [perl #133138] Blead Breaks CPAN: TOBYINK/Alt-Module-Runtime-ButEUMM-0.001.tar.gz
From: Dave Mitchell <davem [...] iabyn.com>
Download (untitled) / with headers
text/plain 1.5k
On Sat, Apr 21, 2018 at 04:01:53AM -0700, Sergey Aleynikov via RT wrote: Show quoted text
> On Sat, 21 Apr 2018 03:26:38 -0700, slaven@rezic.de wrote: >
> > t/taint.t fails since perl 5.27.5 (I did not notice earlier > > because I usually don't test Alt::* modules):
> > 0cbfaef69bb7fd07d9ececee9c76bd53c15eb888 is the first bad commit > commit 0cbfaef69bb7fd07d9ececee9c76bd53c15eb888 > Author: Nicolas R <atoomic@cpan.org> > Date: Tue Sep 26 18:07:47 2017 -0500 > > pp_require: return earlier when module is already loaded
(That commit for ticket RT #132171.) The difference that commit makes can be seen in the following: my $modname = "strict.pm"; my $tainted_modname = substr($ENV{PATH}, 0, 0) . $modname; eval {require($modname)}; print "err=[$@]\n"; eval {require($tainted_modname)}; print "err=[$@]\n"; $ perl5274 -T ~/tmp/p err=[] err=[Insecure dependency in require while running with -T switch at /home/davem/tmp/p line 8. ] $ perl5275 -T ~/tmp/p err=[] err=[] The attempt to require the same module again is now detected earlier, before the safe path and taint checks. It was intended as a performance enhancement (skip more quickly second time round). My feeling is that perl is ok and the distribution's t/taint.t needs updating to reflect the new reality. Unless anyone can think of a valid security reason why perl should croak on requiring an already-loaded module via a tainted name, rather than just quietly skipping? -- "You may not work around any technical limitations in the software" -- Windows Vista license
Date: Sun, 22 Apr 2018 09:16:37 +0200
From: Sawyer X <xsawyerx [...] gmail.com>
CC: perl5-porters [...] perl.org
Subject: Re: [perl #133138] Blead Breaks CPAN: TOBYINK/Alt-Module-Runtime-ButEUMM-0.001.tar.gz
To: Dave Mitchell <davem [...] iabyn.com>, Sergey Aleynikov via RT <perlbug-followup [...] perl.org>
Download (untitled) / with headers
text/plain 1.7k
On 04/21/2018 03:59 PM, Dave Mitchell wrote: Show quoted text
> On Sat, Apr 21, 2018 at 04:01:53AM -0700, Sergey Aleynikov via RT wrote:
>> On Sat, 21 Apr 2018 03:26:38 -0700, slaven@rezic.de wrote: >>
>>> t/taint.t fails since perl 5.27.5 (I did not notice earlier >>> because I usually don't test Alt::* modules):
>> 0cbfaef69bb7fd07d9ececee9c76bd53c15eb888 is the first bad commit >> commit 0cbfaef69bb7fd07d9ececee9c76bd53c15eb888 >> Author: Nicolas R <atoomic@cpan.org> >> Date: Tue Sep 26 18:07:47 2017 -0500 >> >> pp_require: return earlier when module is already loaded
> (That commit for ticket RT #132171.) > > The difference that commit makes can be seen in the following: > > my $modname = "strict.pm"; > my $tainted_modname = substr($ENV{PATH}, 0, 0) . $modname; > eval {require($modname)}; print "err=[$@]\n"; > eval {require($tainted_modname)}; print "err=[$@]\n"; > > $ perl5274 -T ~/tmp/p > err=[] > err=[Insecure dependency in require while running with -T switch at /home/davem/tmp/p line 8. > ] > > $ perl5275 -T ~/tmp/p > err=[] > err=[] > > The attempt to require the same module again is now detected earlier, > before the safe path and taint checks. It was intended as a performance > enhancement (skip more quickly second time round). > > My feeling is that perl is ok and the distribution's t/taint.t needs > updating to reflect the new reality. > > Unless anyone can think of a valid security reason why perl should > croak on requiring an already-loaded module via a tainted name, rather > than just quietly skipping?
The old behavior seems to only be a red herring to developers. You would go down the "this is a taint problem" when in fact you have already loaded that module and the load attempt can be ignored.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org