Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

220 taint #313

Closed
wants to merge 2 commits into from
Closed

220 taint #313

wants to merge 2 commits into from

Conversation

brainbuz
Copy link
Collaborator

Isolating my proposed change of strict to getoptlong in a runperl block, also deleted a global stricture at line 16.

@brainbuz
Issue #220 study tests for strict
76053c9 
3 tests in t/op with stricture removal.
@brainbuz
Issue #220 study tests for strict by default.
bf71bab 
t/op/taint.t at 2520

This test is testing the 'use' command in code it generates and executes
with the -T taint flag.
I've picked another Core module to use in place of strict.

My editor also cleaned up some whitespace in t/op/taint.t

{
    # See the comment above the first formline test.
    local $ENV{PATH} = $ENV{PATH};
    $ENV{PATH} = $old_env_path if $Is_MSWin32;
    is runperl(
       switches => [ '-T' ],
       prog => 'use constant K=>$^X; 0 if K; BEGIN{} use strict; '
              .'print 122669, qq-\n-',
       stderr => 1,
     ), "122669\n",
        'tainted constant as logop condition should not prevent "use"';
}
atoomic
atoomic reviewed Oct 14, 2020
View reviewed changes
t/op/taint.t
@@ -2525,7 +2524,7 @@ is eval { eval $::x.1 }, 1, 'reset does not taint undef';
$ENV{PATH} = $old_env_path if $Is_MSWin32;
is runperl(
switches => [ '-T' ],
prog => 'use constant K=>$^X; 0 if K; BEGIN{} use strict; '
prog => 'use constant K=>$^X; 0 if K; BEGIN{} use Getopt::Long; '
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about this change? what's the reason?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about this change? what's the reason?

In #220 (comment), @brainbuz wrote:

taint.t had a global stricture and in a runperl block was testing the 'use' command with -T, in the PR I propose changing 'use strict' to 'use Getopt::Long', any Core module would serve the intention of the test.

So he appears to feel that using strict as the module to test the -T switch is no longer the best choice.

I'm not sure I agree that we need to make a change here, but if we decide to do so, I'd rather use a module that, say, lives under lib or ext rather than one that is dual-life.

Thank you very much.
Jim Keenan

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have reviewed the original bug ticket in RT that gave rise to line 2528 above, as well as the commit that introduced that line and the unit test in which that line is found. The point of that line can be illustrated with this program:

$ cat rt-122669.pl 
#!perl -T
# https://github.com/Perl/perl5/commit/64ff300be0f7714585466af5bb87b2e37db5082a

# tainted constant
use constant K=>$^X;

# Just reading the constant for the sake of folding can enabled
# taintedness at compile time.
0 if K;

# Taintedness is still on when the ‘strict.pm’ SV is created, so
# require croaks on it (‘Insecure dependency’).
use strict;
#use less 'please';

... which is extracted from Father C's commit message in the commit cited.

Run this program, first in perl-5.18 and then in perl-5.20 (or any later version, including a perl built in our alpha branch). The earlier version produced the surprising exception about which the original RT was concerned.

$ perl -v | head -2 | tail -1
This is perl 5, version 18, subversion 4 (v5.18.4) built for x86_64-linux

$ perl -T rt-122669.pl 
Insecure dependency in require while running with -T switch at rt-122669.pl line 13.
BEGIN failed--compilation aborted at rt-122669.pl line 13.

If, in the program above, you comment out use strict; and substitute any other use statement, you get exactly the same results in perl-5.18 versus later versions. It's the use that is important here, not what is being used.

I think if we changed this to something other than strict, generations to come would be puzzled as to why we had done so. So I recommend leaving the line as is -- which means that there's nothing left to be altered via this p.r. -- which means the p.r. is closable without merging.

I will do so in 3 days time unless I hear otherwise.

Thank you very much.
Jim Keenan

@brainbuz brainbuz mentioned this pull request Oct 14, 2020
Open
@jkeenan
Copy link
Collaborator

jkeenan commented Oct 14, 2020

@brainbuz, Could you revise this pull request so that it just contains changes to t/op/taint.t?

In commit c5e9d4d, I just now merged into alpha changes for t/op/sprintf2.t, t/op/stash.t, t/op/sub.t-- your p.r. #312. So changes to those files do not have to be duplicated in this p.r.

Also, a smaller point:

Could I ask that you not put the Issue number a p.r. is referencing in the Subject of a pull request? If your Subject is, as in this case, "220 taint", that renders as "220 taint #313" in the GitHub GUI and as "220 taint (#313)" in my email. Speaking only for myself, I find all those numbers confusing.

Thank you very much.
JIm Keenan

@jkeenan jkeenan self-assigned this Oct 16, 2020
@brainbuz brainbuz closed this Oct 28, 2020
@brainbuz brainbuz deleted the 220_taint branch October 28, 2020 20:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@atoomic atoomic atoomic left review comments

@jkeenan jkeenan jkeenan left review comments

Assignees

@jkeenan jkeenan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@brainbuz @jkeenan @atoomic