Bug#881451: Insecure dependency in chdir while running with -T switch at /usr/share/perl/5.26/File/Find.pm line 375
Damyan Ivanov
dmn at debian.org
Sun Nov 12 10:22:32 UTC 2017
Control: reassign -1 libtest-version-perl/2.05-1
Control: tag -1 upstream patch
Control: retitle -1 Test::Version makes File::Find's chdir to fail in taint mode
-=| Daniel Leidert, 12.11.2017 00:15:34 +0100 |=-
> Package: perl-modules-5.26
> Version: 5.26.1-2
> Severity: normal
>
> I just wrote a test for a module using Test::Version. Running the test shows
> the mentioned message:
>
> t/00-version.t .. Insecure dependency in chdir while running with -T switch at /usr/share/perl/5.26/File/Find.pm line 375.
> t/00-version.t .. Dubious, test returned 255 (wstat 65280, 0xff00)
>
> I'm not fully sure, but the mentioned issue File::Find might cause the test
> failure.
File::Find fails, because it tries to chdir with tainted argument. No
bug here.
I guess Test::Version should set the untaint option when calling
Find::File. The patch below seems to fix this.
Reassigning, since the behaviour of File::Find is as documented.
You can avoid this issue if you omit the -T flag in your version.t.
After all, it runs over your code, not random user input.
-- dam
--- a/lib/Test/Version.pm
+++ b/lib/Test/Version.pm
@@ -211,7 +211,8 @@ sub version_all_ok {
$name ||= "all modules in $dir have valid versions";
- my @files = File::Find::Rule->perl_module->in( $dir );
+ my @files =
+ File::Find::Rule->perl_module->extras( { untaint => 1 } )->in($dir);
{
local $_IN_VERSION_ALL_OK = 1;
More information about the Perl-maintainers
mailing list