Bug#717213: Module::Load::Conditional and taint mode

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Sep 10 06:26:32 UTC 2013 

It looks like some change introduced between 0.44 and 0.50 cause
Module::Load::Conditional::can_load to choke under taint mode.

I note that both http://bugs.debian.org/722210 and
http://bugs.debian.org/717213 are related to Module::Load::Conditional
failures under taint mode.  I suspect they're the same bug.

The versions of Module::Load::Conditional associated here are:

wheezy perl-modules                       0.44
wheezy libmodule-load-conditional-perl    0.50
sid    perl-modules                       0.54
sid    libmodule-load-conditional-perl    0.52
upstream                                  0.58


here's a carp trace on a system with 0.58 installed:
 
0 dkg at alice:/tmp/cdtemp.YOjk3A$ perl -MCarp::Always -wTMModule::Load::Conditional -e 'Module::Load::Conditional::can_load(modules => { 'Test' => undef });'
Insecure dependency in eval while running with -T switch at /usr/share/perl/5.18/Module/Metadata.pm line 631, <GEN0> line 23.
	Module::Metadata::_evaluate_version_line('Module::Metadata=HASH(0x1063878)', '$', 'VERSION', '$VERSION = \'1.26\';') called at /usr/share/perl/5.18/Module/Metadata.pm line 580
	Module::Metadata::_parse_fh('Module::Metadata=HASH(0x1063878)', 'FileHandle=GLOB(0x10d3568)') called at /usr/share/perl/5.18/Module/Metadata.pm line 358
	Module::Metadata::_init('Module::Metadata', undef, '/usr/share/perl/5.18/Test.pm', 'handle', 'FileHandle=GLOB(0x10d3568)') called at /usr/share/perl/5.18/Module/Metadata.pm line 79
	Module::Metadata::new_from_handle('Module::Metadata', 'FileHandle=GLOB(0x10d3568)', '/usr/share/perl/5.18/Test.pm') called at /usr/share/perl5/Module/Load/Conditional.pm line 259
	Module::Load::Conditional::check_install('module', 'Test', 'version', undef) called at /usr/share/perl5/Module/Load/Conditional.pm line 417
	Module::Load::Conditional::can_load('modules', 'HASH(0xd22cb8)') called at -e line 1
25 dkg at alice:/tmp/cdtemp.YOjk3A$ 

I note that the upstream changelog only mentions taint mode once, from
years ago:

Changes for 0.24    Wed Jan  2 16:53:19 CET 2008
=================================================
* Readdress #29348 to make sure version comparisons
  handle alpha versions (XX_YY type) gracefully.
* Address #31680 to make sure $FIND_VERSION works
  nicely with taint mode enabled.


Jos, do you have any idea what is going on here, or if it's possible to
run Module::Load::Conditional while under taint mode?

Regards,

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20130910/d87c17c3/attachment.sig>

More information about the pkg-perl-maintainers mailing list