Module::Metadata in Taint Mode

[Daniel Kahn Gillmor]

hey folks--

http://bugs.debian.org/722210 describes some buggy misbehavior where
Module::Metadata causes crashes in taint mode.

https://rt.cpan.org/Ticket/Display.html?id=88567 shows some notes upstream.

i see that carnil_ has already updated libmodule-metadata-perl (thank
you!) to the upstream release of Module::Metadata.


But i'm wondering if we should try to patch perl-modules as well with
the associated fix.  Otherwise, packages that might at some point call
Module::Load::Conditional while in taint mode will have to know about
this and explicitly Depend: on libmodule-metadata-perl, which seems
awkward and kind of confusing.  (i say this as a maintainer for
msva-perl, which uses Module::Load::Conditional -- this was very obscure
breakage for me to track down).

Is this the sort of thing one could imagine rolling into a new version.

The fix seems to be in lib/Module/Metadata.pm:


@@ -661,8 +662,10 @@ sub _evaluate_version_line {
         \$$var
       };
   }};

+  $eval = $1 if $eval =~ m{^(.+)}s;
+
   local $^W;
   # Try to get the $VERSION
   eval $eval;
   # some modules say $VERSION = $Foo::Bar::VERSION, but Foo::Bar isn't


(i note that upstream was sensible enough to also add a t/taint.t as well).

I don't think i've ever really gotten my head around what changes are
"acceptable" to backport into perl-modules and which ones aren't.

Any pointers or thoughts?

	--dkg