Test::Compile diverging in Debian from upstream

To: egiles@cpan.org
Cc: Debian Perl List <debian-perl@lists.debian.org>
Subject: Test::Compile diverging in Debian from upstream
From: Nicholas Bamber <nicholas@periapt.co.uk>
Date: Sun, 19 Feb 2012 12:05:13 +0000
Message-id: <[🔎] 4F40E579.5010009@periapt.co.uk>

Evans,

I am writing to plead with you to consider carefully applying the twoattached patches to the code of Test::Compile. They are backwardscompatible, transparent and really very necessary. They need to beapplied taint.patch before lib.patch. They were originally forwarded tothe appropriate RT bugs but have been ignored in two subsequentreleases. It has taken a disproportionate amount of effort on my part torebuild the patches to match the new code.

The taint patch handles the case where a -T argument is in the shebangline in the .pl file; i.e. taint mode.

The lib patch handles the case where a script in the distribution callsa module from the same distribution. You really do want to make surethat the module is pulled from the distribution tar ball and not fromthe pre-existing installation of a possibly incompatible earlier version.


	
--
Nicholas Bamber | http://www.periapt.co.uk/
PGP key 3BFFE73C from pgp.mit.edu

Author: Nicholas Bamber <nicholas@periapt.co.uk>
Subject: taint mode not respected
 If the -T argument is passed on the command line to the perl executable,
 it will turn on "taint" treating all input as suspect until checked,
 and dieing if the scripts attempts to output tainted data. Using taint
 mode is considered good practice for sensitive programs that could
 possibly be run by untrusted users. If the -T argument is used in the
 shebang line of the script, then it needs to be passed when the script is
 invoked - otherwise the script will fail to compile. Thus it is quite
 important that this module pass the -T flag when required. We also provide
 a test script to verify the extra functionality. There is also a -t argument
 which warns rather than dies.
Last-Update: 2012-02-18
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649301
Bug: https://rt.cpan.org/Public/Bug/Display.html?id=55837
--- /dev/null
+++ b/t/10_taint.t
@@ -0,0 +1,7 @@
+#!perl -w
+use strict;
+use warnings;
+use Test::More tests => 1;
+use Test::Compile;
+pl_file_ok('t/scripts/taint.pl', 'taint.pl compiles');
+
--- a/lib/Test/Compile.pm
+++ b/lib/Test/Compile.pm
@@ -138,7 +138,8 @@
             return ($@ ? 0 : 1);
         } else {
             my @perl5lib = split(':', ($ENV{PERL5LIB}||""));
-            system($^X, (map { "-I$_" } @perl5lib), '-c', $file);
+            my $taint = _is_in_taint_mode($file);
+            system($^X, (map { "-I$_" } @perl5lib), "-c$taint", $file);
             return ($? ? 0 : 1);
         }
     }
@@ -177,6 +178,19 @@
     return 'script' if -e 'script';
     return 'bin'    if -e 'bin';
 }
+
+sub _is_in_taint_mode {
+    my $file = shift;
+    open(FILE, $file) or die "could not open $file";
+    my $shebang = <FILE>;
+    my $taint = "";
+    if ($shebang =~ /^#![\/\w]+\s+\-w?([tT])/) {
+        $taint = $1;
+    }
+    close FILE;
+    return $taint;
+}
+
 1;
 __END__

Author: Nicholas Bamber <nicholas@periapt.co.uk>
Subject: need to provide path to libraries of distribution
 Imagine you have a distrubution consisting of a script and at least
 one module. You want to test that the script compiles using this
 module. However older versions of your module are already installed.
 It is important that we pull in the current version of the modules
 not the already released versions. The upstream code does not
 take care of this at all. This patch also provides a test.
Bug: http://rt.cpan.org/Ticket/Display.html?id=72557
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649332
Last-Update: 2012-02-18
--- /dev/null
+++ b/t/scripts/lib.pl
@@ -0,0 +1,13 @@
+#!/usr/bin/perl
+
+BEGIN {
+    require strict;
+    require warnings;
+    require Test::Builder;
+    require File::Spec;
+    require UNIVERSAL::require;
+    @INC = grep { $_ eq 'blib/lib' } @INC;
+}
+use Test::Compile;
+
+sleep 1;
--- /dev/null
+++ b/t/11.lib.t
@@ -0,0 +1,7 @@
+#!perl -w
+use strict;
+use warnings;
+use Test::More tests => 1;
+use Test::Compile;
+pl_file_ok('t/scripts/lib.pl', 'lib.pl compiles');
+
--- a/lib/Test/Compile.pm
+++ b/lib/Test/Compile.pm
@@ -139,6 +139,7 @@
         } else {
             my @perl5lib = split(':', ($ENV{PERL5LIB}||""));
             my $taint = _is_in_taint_mode($file);
+	    unshift @perl5lib, 'blib/lib';
             system($^X, (map { "-I$_" } @perl5lib), "-c$taint", $file);
             return ($? ? 0 : 1);
         }
--- a/t/10-find-files.t
+++ b/t/10-find-files.t
@@ -13,10 +13,11 @@
   my @files = sort (all_pl_files('t/scripts'));
 
   # THEN
-  is(scalar @files,3,"Found correct number of scripts");
+  is(scalar @files,4,"Found correct number of scripts");
   like($files[0],qr/failure.pl/,"Found the failure script");
-  like($files[1],qr/success.pl/,"Found the success script");
-  like($files[2],qr/taint.pl/,"Found the tainted script");
+  like($files[1],qr/lib.pl/,"Found the lib script");
+  like($files[2],qr/success.pl/,"Found the success script");
+  like($files[3],qr/taint.pl/,"Found the tainted script");
 }
 
 sub test_all_pm_files {

Reply to:

Prev by Date: Bug#660405: ITP: libpackage-new-perl -- simple base package from which to inherit
Next by Date: Test::Compile diverging in Debian from upstream
Previous by thread: Bug#660405: ITP: libpackage-new-perl -- simple base package from which to inherit
Next by thread: Test::Compile diverging in Debian from upstream
Index(es):
- Date
- Thread