Test::Compile diverging in Debian from upstream
Evans,
I am writing to plead with you to consider carefully applying the two
attached patches to the code of Test::Compile. They are backwards
compatible, transparent and really very necessary. They need to be
applied taint.patch before lib.patch. They were originally forwarded to
the appropriate RT bugs but have been ignored in two subsequent
releases. It has taken a disproportionate amount of effort on my part to
rebuild the patches to match the new code.
The taint patch handles the case where a -T argument is in the shebang
line in the .pl file; i.e. taint mode.
The lib patch handles the case where a script in the distribution calls
a module from the same distribution. You really do want to make sure
that the module is pulled from the distribution tar ball and not from
the pre-existing installation of a possibly incompatible earlier version.
--
Nicholas Bamber | http://www.periapt.co.uk/
PGP key 3BFFE73C from pgp.mit.edu
Author: Nicholas Bamber <nicholas@periapt.co.uk>
Subject: taint mode not respected
If the -T argument is passed on the command line to the perl executable,
it will turn on "taint" treating all input as suspect until checked,
and dieing if the scripts attempts to output tainted data. Using taint
mode is considered good practice for sensitive programs that could
possibly be run by untrusted users. If the -T argument is used in the
shebang line of the script, then it needs to be passed when the script is
invoked - otherwise the script will fail to compile. Thus it is quite
important that this module pass the -T flag when required. We also provide
a test script to verify the extra functionality. There is also a -t argument
which warns rather than dies.
Last-Update: 2012-02-18
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649301
Bug: https://rt.cpan.org/Public/Bug/Display.html?id=55837
--- /dev/null
+++ b/t/10_taint.t
@@ -0,0 +1,7 @@
+#!perl -w
+use strict;
+use warnings;
+use Test::More tests => 1;
+use Test::Compile;
+pl_file_ok('t/scripts/taint.pl', 'taint.pl compiles');
+
--- a/lib/Test/Compile.pm
+++ b/lib/Test/Compile.pm
@@ -138,7 +138,8 @@
return ($@ ? 0 : 1);
} else {
my @perl5lib = split(':', ($ENV{PERL5LIB}||""));
- system($^X, (map { "-I$_" } @perl5lib), '-c', $file);
+ my $taint = _is_in_taint_mode($file);
+ system($^X, (map { "-I$_" } @perl5lib), "-c$taint", $file);
return ($? ? 0 : 1);
}
}
@@ -177,6 +178,19 @@
return 'script' if -e 'script';
return 'bin' if -e 'bin';
}
+
+sub _is_in_taint_mode {
+ my $file = shift;
+ open(FILE, $file) or die "could not open $file";
+ my $shebang = <FILE>;
+ my $taint = "";
+ if ($shebang =~ /^#![\/\w]+\s+\-w?([tT])/) {
+ $taint = $1;
+ }
+ close FILE;
+ return $taint;
+}
+
1;
__END__
Author: Nicholas Bamber <nicholas@periapt.co.uk>
Subject: need to provide path to libraries of distribution
Imagine you have a distrubution consisting of a script and at least
one module. You want to test that the script compiles using this
module. However older versions of your module are already installed.
It is important that we pull in the current version of the modules
not the already released versions. The upstream code does not
take care of this at all. This patch also provides a test.
Bug: http://rt.cpan.org/Ticket/Display.html?id=72557
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649332
Last-Update: 2012-02-18
--- /dev/null
+++ b/t/scripts/lib.pl
@@ -0,0 +1,13 @@
+#!/usr/bin/perl
+
+BEGIN {
+ require strict;
+ require warnings;
+ require Test::Builder;
+ require File::Spec;
+ require UNIVERSAL::require;
+ @INC = grep { $_ eq 'blib/lib' } @INC;
+}
+use Test::Compile;
+
+sleep 1;
--- /dev/null
+++ b/t/11.lib.t
@@ -0,0 +1,7 @@
+#!perl -w
+use strict;
+use warnings;
+use Test::More tests => 1;
+use Test::Compile;
+pl_file_ok('t/scripts/lib.pl', 'lib.pl compiles');
+
--- a/lib/Test/Compile.pm
+++ b/lib/Test/Compile.pm
@@ -139,6 +139,7 @@
} else {
my @perl5lib = split(':', ($ENV{PERL5LIB}||""));
my $taint = _is_in_taint_mode($file);
+ unshift @perl5lib, 'blib/lib';
system($^X, (map { "-I$_" } @perl5lib), "-c$taint", $file);
return ($? ? 0 : 1);
}
--- a/t/10-find-files.t
+++ b/t/10-find-files.t
@@ -13,10 +13,11 @@
my @files = sort (all_pl_files('t/scripts'));
# THEN
- is(scalar @files,3,"Found correct number of scripts");
+ is(scalar @files,4,"Found correct number of scripts");
like($files[0],qr/failure.pl/,"Found the failure script");
- like($files[1],qr/success.pl/,"Found the success script");
- like($files[2],qr/taint.pl/,"Found the tainted script");
+ like($files[1],qr/lib.pl/,"Found the lib script");
+ like($files[2],qr/success.pl/,"Found the success script");
+ like($files[3],qr/taint.pl/,"Found the tainted script");
}
sub test_all_pm_files {
Reply to: