Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

220 taint #313

Closed
wants to merge 2 commits into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion t/op/sprintf2.t
Original file line number Diff line number Diff line change
@@ -265,7 +265,6 @@ if ($Config{nvsize} == 8 &&
print "# no hexfloat tests\n";
}

use strict;
use Config;

is(
10 changes: 3 additions & 7 deletions t/op/stash.t
Original file line number Diff line number Diff line change
@@ -55,12 +55,8 @@ SKIP: {
);
}

# now tests with strictures

{
use strict;
ok( !exists $pig::{bodine}, q(referencing a non-existent stash element doesn't produce stricture errors) );
}
ok( !exists $pig::{bodine},
q(referencing a non-existent stash element doesn't produce stricture errors) );

our $TODO;
SKIP: {
@@ -257,7 +253,7 @@ fresh_perl_is(

# effectively rename a stash
*slin:: = *rile::; *rile:: = *zor::;

::is *$globref, "*rile::tat",
'globs stringify the same way when stashes are moved';
::is ref $obj, "rile",
2 changes: 1 addition & 1 deletion t/op/sub.t
Original file line number Diff line number Diff line change
@@ -187,7 +187,7 @@ ok !exists $INC{"re.pm"}, 're.pm not loaded yet';
# [perl #122107] previously this would return
# Subroutine BEGIN redefined at (eval 2) line 2.
fresh_perl_is(<<'EOS', "", { stderr => 1 },
use strict; use warnings; eval q/use File::{Spec}/; eval q/use File::Spec/;
use warnings; eval q/use File::{Spec}/; eval q/use File::Spec/;
EOS
"check special blocks are cleared on error");

27 changes: 13 additions & 14 deletions t/op/taint.t
Original file line number Diff line number Diff line change
@@ -14,7 +14,6 @@ BEGIN {
require './loc_tools.pl';
}

use strict;
use Config;

plan tests => 1052;
@@ -1340,7 +1339,7 @@ violates_taint(sub { link $TAINT, '' }, 'link');
SKIP: {
# wildcard expansion doesn't invoke shell on VMS, so is safe
skip "This is not VMS", 2 unless $Is_VMS;

isnt(join('', eval { glob $foo } ), '', 'globbing');
is($@, '');
}
@@ -1464,7 +1463,7 @@ violates_taint(sub { link $TAINT, '' }, 'link');
{
# No reliable %Config check for getpw*
SKIP: {
skip "getpwent() is not available", 9 unless
skip "getpwent() is not available", 9 unless
eval { setpwent(); getpwent() };

setpwent();
@@ -1493,7 +1492,7 @@ violates_taint(sub { link $TAINT, '' }, 'link');
}

SKIP: {
skip "readlink() or symlink() is not available" unless
skip "readlink() or symlink() is not available" unless
$Config{d_readlink} && $Config{d_symlink};

my $symlink = "sl$$";
@@ -1566,7 +1565,7 @@ SKIP: {
warn "# shmget failed: $!\n";
}

skip "SysV shared memory operation failed", 1 unless
skip "SysV shared memory operation failed", 1 unless
$rcvd eq $sent;

is_tainted($rcvd, "shmread");
@@ -1738,9 +1737,9 @@ SKIP: {
${$_ [0]}
}


package main;

my $bar = "The Big Bright Green Pleasure Machine";
taint_these $bar;
tie my ($foo), Tie => $bar;
@@ -1773,13 +1772,13 @@ like($@, qr/^Modification of a read-only value attempted/,

{
# bug 20011111.105 (#7897)

my $re1 = qr/x$TAINT/;
is_tainted($re1);

my $re2 = qr/^$re1\z/;
is_tainted($re2);

my $re3 = "$re2";
is_tainted($re3);
}
@@ -1811,15 +1810,15 @@ TODO: {
violates_taint(sub { system $TAINT 'notaint' }, 'system');
violates_taint(sub { system {'notaint'} $TAINT }, 'system');

eval {
eval {
no warnings;
system("lskdfj does not exist","with","args");
system("lskdfj does not exist","with","args");
};
is($@, "");

eval {
no warnings;
exec("lskdfj does not exist","with","args");
exec("lskdfj does not exist","with","args");
};
is($@, "");

@@ -2525,7 +2524,7 @@ is eval { eval $::x.1 }, 1, 'reset does not taint undef';
$ENV{PATH} = $old_env_path if $Is_MSWin32;
is runperl(
switches => [ '-T' ],
prog => 'use constant K=>$^X; 0 if K; BEGIN{} use strict; '
prog => 'use constant K=>$^X; 0 if K; BEGIN{} use Getopt::Long; '
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about this change? what's the reason?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about this change? what's the reason?

In #220 (comment), @brainbuz wrote:

taint.t had a global stricture and in a runperl block was testing the 'use' command with -T, in the PR I propose changing 'use strict' to 'use Getopt::Long', any Core module would serve the intention of the test.

So he appears to feel that using strict as the module to test the -T switch is no longer the best choice.

I'm not sure I agree that we need to make a change here, but if we decide to do so, I'd rather use a module that, say, lives under lib or ext rather than one that is dual-life.

Thank you very much.
Jim Keenan

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have reviewed the original bug ticket in RT that gave rise to line 2528 above, as well as the commit that introduced that line and the unit test in which that line is found. The point of that line can be illustrated with this program:

$ cat rt-122669.pl 
#!perl -T
# https://github.com/Perl/perl5/commit/64ff300be0f7714585466af5bb87b2e37db5082a

# tainted constant
use constant K=>$^X;

# Just reading the constant for the sake of folding can enabled
# taintedness at compile time.
0 if K;

# Taintedness is still on when the ‘strict.pm’ SV is created, so
# require croaks on it (‘Insecure dependency’).
use strict;
#use less 'please';

... which is extracted from Father C's commit message in the commit cited.

Run this program, first in perl-5.18 and then in perl-5.20 (or any later version, including a perl built in our alpha branch). The earlier version produced the surprising exception about which the original RT was concerned.

$ perl -v | head -2 | tail -1
This is perl 5, version 18, subversion 4 (v5.18.4) built for x86_64-linux

$ perl -T rt-122669.pl 
Insecure dependency in require while running with -T switch at rt-122669.pl line 13.
BEGIN failed--compilation aborted at rt-122669.pl line 13.

If, in the program above, you comment out use strict; and substitute any other use statement, you get exactly the same results in perl-5.18 versus later versions. It's the use that is important here, not what is being used.

I think if we changed this to something other than strict, generations to come would be puzzled as to why we had done so. So I recommend leaving the line as is -- which means that there's nothing left to be altered via this p.r. -- which means the p.r. is closable without merging.

I will do so in 3 days time unless I hear otherwise.

Thank you very much.
Jim Keenan

.'print 122669, qq-\n-',
stderr => 1,
), "122669\n",