Module::Metadata in Taint Mode
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Sep 11 21:26:19 UTC 2013
hey folks--
http://bugs.debian.org/722210 describes some buggy misbehavior where
Module::Metadata causes crashes in taint mode.
https://rt.cpan.org/Ticket/Display.html?id=88567 shows some notes upstream.
i see that carnil_ has already updated libmodule-metadata-perl (thank
you!) to the upstream release of Module::Metadata.
But i'm wondering if we should try to patch perl-modules as well with
the associated fix. Otherwise, packages that might at some point call
Module::Load::Conditional while in taint mode will have to know about
this and explicitly Depend: on libmodule-metadata-perl, which seems
awkward and kind of confusing. (i say this as a maintainer for
msva-perl, which uses Module::Load::Conditional -- this was very obscure
breakage for me to track down).
Is this the sort of thing one could imagine rolling into a new version.
The fix seems to be in lib/Module/Metadata.pm:
@@ -661,8 +662,10 @@ sub _evaluate_version_line {
\$$var
};
}};
+ $eval = $1 if $eval =~ m{^(.+)}s;
+
local $^W;
# Try to get the $VERSION
eval $eval;
# some modules say $VERSION = $Foo::Bar::VERSION, but Foo::Bar isn't
(i note that upstream was sensible enough to also add a t/taint.t as well).
I don't think i've ever really gotten my head around what changes are
"acceptable" to backport into perl-modules and which ones aren't.
Any pointers or thoughts?
--dkg
More information about the pkg-perl-maintainers
mailing list