Bug#878901: dh-make-perl: FTBFS with dpkg >= 1.19: "Insecure dependency in eval while running with -T switch"
Damyan Ivanov
dmn at debian.org
Thu Oct 19 20:21:57 UTC 2017
-=| Damyan Ivanov, 18.10.2017 20:20:16 +0000 |=-
> During discussion, Matt S. Trout suggested on IRC that the check for
> a valid package name is better written as $input =~
> /\A([A-Za-z]\w*(?:::\w+)*)\Z/. If no hierarchy is possible, then
> /\A([A-Za-z]\w*/ would be enough.
I forgot an additional suggestion from Matt for replacing a big string
eval with a much smaller one.
Here it is:
## old code
eval qq{
pop \@INC if \$INC[-1] eq '.';
require Dpkg::Vendor::$name;
\$obj = Dpkg::Vendor::$name->new();
};
unless ($@) {
$OBJECT_CACHE{$vendor} = $obj;
return $obj;
}
## new code
pop @INC if $INC[-1] eq '.';
(my $path = my $class = "Dpkg::Vendor::${name}") =~ s/\::/\//g
my $obj = eval { require "${path}.pm"; $class->new };
return $OBJECT_CACHE{$vendor} = $obj if $obj;
Cheers,
dam
More information about the pkg-perl-maintainers
mailing list