[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#878901: dh-make-perl: FTBFS with dpkg >= 1.19: "Insecure dependency in eval while running with -T switch"

-=| Damyan Ivanov, 18.10.2017 20:20:16 +0000 |=-
> During discussion, Matt S. Trout suggested on IRC that the check for 
> a valid package name is better written as $input =~ 
> /\A([A-Za-z]\w*(?:::\w+)*)\Z/. If no hierarchy is possible, then 
> /\A([A-Za-z]\w*/ would be enough.

I forgot an additional suggestion from Matt for replacing a big string 
eval with a much smaller one.

Here it is:

## old code
        eval qq{
            pop \@INC if \$INC[-1] eq '.';
            require Dpkg::Vendor::$name;
            \$obj = Dpkg::Vendor::$name->new();
        unless ($@) {
            $OBJECT_CACHE{$vendor} = $obj;
            return $obj;

## new code
        pop @INC if $INC[-1] eq '.';
        (my $path = my $class = "Dpkg::Vendor::${name}") =~ s/\::/\//g
        my $obj = eval { require "${path}.pm"; $class->new };
        return $OBJECT_CACHE{$vendor} = $obj if $obj;


Reply to: