Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Ovid (2709)

  (email not shown publicly)
AOL IM: ovidperl (Add Buddy, Send Message)

Stuff with the Perl Foundation. A couple of patches in the Perl core. A few CPAN modules. That about sums it up.

Journal of Ovid (2709)

Sunday April 23, 2006
01:27 PM

Class::CGI temporary showstopper

[ #29418 ]

You know, I was all proud of how Class::CGI was nice and easy to use and made untainting a breeze (due to its "once and only once" philosophy), but curiosly, I had never run any tests under taint mode. Today I just did. It blew up, badly. The following snippet illustrates the problem:

#!/usr/bin/perl -T

use Module::Load::Conditional qw(check_install);
check_install( module => 'Data::Dumper' );

Which blows up with:

Insecure dependency in eval while running with -T switch at /usr/local/lib/perl5/site_perl/5.8.7/Module/Load/ line 215, <GEN0> line 12.

Seems Module::Load::Conditional reads lines in from your modules and evals "VERSION" lines to get the version. This is a showstopper for Class::CGI. Working on a bug report and a fix now. All of the code appears to assume that VERSION information is all on one line, so while that is not always correct, if I use that as my baseline, I can at least hope that I won't make things worse.

Note that the same security hole appears to be present in Module::InstalledVersion and ExtUtils::MM_Unix.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • Dude, EVERYTHING does it that way, because that, SOMEHOW, became the required way to do things.

    I mentioned at OSCON there was an obviously DOS attack against PAUSE right?

    You just found it.
    • I remember your comments and I remember you wouldn't elaborate, which seemed a reasonable thing to do. The fact that it's still not been fixed is discouraging. Right now, I have some code which finds -- without eval -- the correct version number of about 98% of what I have installed (440 modules), but some of the edge cases it misses are pretty important ones.

      What's worse is that while some failures are due to me learning the rather convoluted evolution of version numbers, some are due to authors being