Module::Metadata in Taint Mode

Dominic Hargreaves dom at earth.li
Wed Sep 11 22:47:00 UTC 2013 

[Moving message to debian-perl, which is better for more wide-ranging
discussion especially if it involves the perl packages]

On Wed, Sep 11, 2013 at 05:26:19PM -0400, Daniel Kahn Gillmor wrote:
> hey folks--
> 
> http://bugs.debian.org/722210 describes some buggy misbehavior where
> Module::Metadata causes crashes in taint mode.
> 
> https://rt.cpan.org/Ticket/Display.html?id=88567 shows some notes upstream.
> 
> i see that carnil_ has already updated libmodule-metadata-perl (thank
> you!) to the upstream release of Module::Metadata.
> 
> 
> But i'm wondering if we should try to patch perl-modules as well with
> the associated fix.  Otherwise, packages that might at some point call
> Module::Load::Conditional while in taint mode will have to know about
> this and explicitly Depend: on libmodule-metadata-perl, which seems
> awkward and kind of confusing.  (i say this as a maintainer for
> msva-perl, which uses Module::Load::Conditional -- this was very obscure
> breakage for me to track down).
> 
> Is this the sort of thing one could imagine rolling into a new version.

Yes, I'm preparing a new release of perl now.
 
> The fix seems to be in lib/Module/Metadata.pm:
> 
> 
> @@ -661,8 +662,10 @@ sub _evaluate_version_line {
>          \$$var
>        };
>    }};
> 
> +  $eval = $1 if $eval =~ m{^(.+)}s;
> +
>    local $^W;
>    # Try to get the $VERSION
>    eval $eval;
>    # some modules say $VERSION = $Foo::Bar::VERSION, but Foo::Bar isn't
> 
> 
> (i note that upstream was sensible enough to also add a t/taint.t as well).
> 
> I don't think i've ever really gotten my head around what changes are
> "acceptable" to backport into perl-modules and which ones aren't.

There are no hard and fast rules, but in the case of dual-lived modules
we certainly aim to minimise divergence with the separately-packaged
module in cases like this. We are much more likely to apply patches
which are in at least blead upstream than ones which aren't. We're a bit
less conservative than upstream are for maint branches (their maint
policy favours users manually installing newer versions of dual-lived
modules from CPAN whereas that doesn't make so much sense for Debian,
for example). And Niko will correct me here if he disagrees with
anything :)

Cheers,
Dominic.

More information about the pkg-perl-maintainers mailing list