Skip Menu |
 

This queue is for tickets about the Perl-Dist-Strawberry CPAN distribution.

Report information
The Basics
Id: 132264
Status: new
Priority: 0/
Queue: Perl-Dist-Strawberry

People
Owner: Nobody in particular
Requestors: jkeenan [...] pobox.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



CC: aero <chahkang [...] gmail.com>, MITHALDU [...] cpan.org, Leon Timmermans <fawaka [...] gmail.com>
Subject: Strawberry Perl Portable edition reports Perl's executable's path is tainted
Date: Sun, 29 Mar 2020 13:51:35 -0400
To: bug-Perl-Dist-Strawberry [...] rt.cpan.org
From: James E Keenan <jkeenan [...] pobox.com>
Download (untitled) / with headers
text/plain 1.9k
In taint mode, run the program attached, taint.pl, in both Strawberry Perl MSI edition and Strawberry Perl Portable. According to the reports I have received, in the MSI edition (much like any other perl executable I've encountered) taint.pl reports: ##### Path to perl executable ... is clean ##### But in Strawberry Perl Portable, we are seeing the unexpected result: ##### Path to perl executable ... is tainted ##### Data: 1. http://www.cpantesters.org/cpan/report/90ddbb30-6d47-1014-bf40-0f5b8c5614d5 I followed up on this CPANtesters report with the tester, who reported running Strawberry Perl 5.28 Portable edition. We subsequently reduced the failures in IPC-System-Simple's t/taint.t to the program attached to this bug report. The reporter got the perl-executable-path "tainted" result -- and continued to do so even when the PATH envvar was substantially trimmed down (details upon request). 2. irc.perl.org #p5p Sun Mar 29 2020 I discussed this problem on IRC with Mithaldu, grinnz, genio, leont and others. Mithaldu reproduced the problem with Strawberry Perl 5.30 Portable edition. He has both a "regular" Strawberry Perl installed on his C drive and a Portable edition installed on his D drive. Running 'perl -T taint.pl', he got "clean" on the C drive but "tainted" on the D drive. Analysis: Leon T speculated: "Clearly, because Portable does some munging with %Config, and as a side-effect perlpath is now tainted. ... I'm not even sure if it's a bug or a feature that it does this. ... It sets perlpath to a helpful value, but it can't do that securely (by taint's definition of secure)." Ask: Can the Strawberry Perl team shed any light on this? A subsidiary question: Is there any way to distinguish whether a given Strawberry Perl is "regular" or Portable? Note: I don't have Strawberry Perl or Windows myself. I'm reporting this simply because I'm co-maint on IPC-System-Simple, where this problem was first observed. Thank you very much. Jim Keenan
Download taint.pl
text/x-perl 363b

Message body is not shown because sender requested not to inline it.



This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.