This queue is for tickets about the CPAN CPAN distribution.

Report information
The Basics
Id:
17877
Status:
resolved
Priority:
Low/Low
Queue:

People
Owner:
ANDK [...] cpan.org
Requestors:
corion [...] cpan.org
Cc:
AdminCc:

BugTracker
Severity:
Wishlist
Broken in:
1.87
Fixed in:
(no value)



Subject: CPAN should warn if CPAN::Config contains problematic entries
I have my make utility installed in a path with whitespace in it (actually, Microsoft chose so and I stayed with the default). CPAN/FirstTime.pm adds $CPAN::Config->{make} as 'make' => q[C:\Programme\Microsoft Visual C++ Toolkit 2003\bin\nmake.EXE], which later on causes problems with the shell interpolation. Of course, the Grand Big Scheme will be to exorcise all shell interpolation and system(STRING) calls, but the easy fix was to add appropriate quotes to my CPAN/Config.pm like this: 'make' => q["C:\Programme\Microsoft Visual C++ Toolkit 2003\bin\nmake.EXE"], I've patched CPAN::HandleConfig to add a C<sanity_check> method which currently checks just that the C<make> entry is sane (that is, exists, and if it contains whitespace, that it also has quotes at the start and end). See the attached diff against 1.87, and the attached test file to test it. Thanks for maintaining CPAN! -max
Subject: sanity_check.t
#!/usr/bin/perl -w use strict; use Test::More tests => 5; use Data::Dumper; use_ok "CPAN::HandleConfig"; { local $CPAN::Config = {}; is_deeply( { CPAN::HandleConfig->sanity_check() }, {}, "Sanity check for undefined 'make' entry works" ) or diag Dumper { CPAN::HandleConfig->sanity_check() }; }; { local $CPAN::Config = { make => '/some/path with whitespace/in it/where the file doesnt/exist', }; is_deeply( { CPAN::HandleConfig->sanity_check() }->{make}, [ 'A path seems to be given in >/some/path with whitespace/in it/where the file doesnt/exist< but the file was not found.', '>/some/path with whitespace/in it/where the file doesnt/exist< seems to contain whitespace but is not quoted. This might be OK if there are additional commands you want to pass to your make utility. If you want to use "/some/path with whitespace/in it/where the file doesnt/exist" as your make program, please add appropriate quotes to the line in Config.pm. ', ], "Sanity check for unquoted 'make' entry works" ) or diag Dumper { CPAN::HandleConfig->sanity_check() }; }; { local $CPAN::Config = { make => 'make', }; is_deeply( { CPAN::HandleConfig->sanity_check() }, {}, "Sanity check for bare 'make' is silent" ) or diag Dumper { CPAN::HandleConfig->sanity_check() }; }; { local $CPAN::Config = { make => 'nmake.exe', }; is_deeply( { CPAN::HandleConfig->sanity_check() }, {}, "Sanity check for bare 'make' is silent (Win32 variant)" ); };
Subject: HandleConfig.diff
--- HandleConfig.pm Wed Feb 22 23:02:27 2006 +++ HandleConfig.pm-Corion Mon Feb 27 16:54:40 2006 @@ -287,7 +287,7 @@ # maintainability. RMB # sub _configpmtest { - my($configpmdir, $configpmtest) = @_; + my($configpmdir, $configpmtest) = @_; if (-w $configpmtest) { return $configpmtest; } elsif (-w $configpmdir) { @@ -341,6 +341,18 @@ my(@miss); use Carp; require_myconfig_or_config; + my %warnings = $self->sanity_check(); + if (! $args{be_silent} && keys %warnings) { + $CPAN::Frontend->myprint( "*** The following values are possibly problematic:\n" ); + for my $val (keys %warnings) { + for my $w (@{$warnings{$val}}) { + $w =~ s!^!\t\t!mg; + my $text = $val . substr( $w, 1 ); + $CPAN::Frontend->myprint("$text\n"); + }; + }; + }; + return unless @miss = $self->missing_config_data; require CPAN::FirstTime; @@ -473,6 +485,60 @@ return grep /^\Q$word\E/, @o_conf; } +=head2 C<< $self->sanity_check >> + +Returns a list of suspicious/potentially problematic +values and the corresponding warning messages. + +Currently, the only check made is for: + +=head3 C<< make >> + +If the (path to the) file contains whitespace +and is not quoted, a warning is emitted, as +CPAN.pm and other tools will likely have problems +with that. + +=cut + +sub sanity_check { + my ($self) = @_; + my %res; + if (defined (my $make = $CPAN::Config->{make})) { + my $quotes = $^O eq 'MSWin32' + ? '"' + : qq<"'>; + + my ($real_make,$is_quoted); + if ($make =~ /^([$quotes])(.*)\1$/) { + ($is_quoted,$real_make) = ($2,$1); + } else { + $real_make = $make; + }; + + # This will maybe create bogus warnings on VMSish systems? + # Maybe this should use a real shell parser or something + # to determine which "word" is the (path to) the make program + if (! -f $real_make && $real_make =~ m![\\/:]!) { + $res{ make } ||= []; + push @{$res{make}}, "A path seems to be given in >$make< but the file was not found."; + }; + if ($make =~ /\s/ and not $is_quoted) { + $res{ make } ||= []; + push @{$res{make}}, <<MAKE_HAS_WHITESPACE; +>$make< +seems to contain whitespace but is not quoted. +This might be OK if there are additional commands you +want to pass to your make utility. If you want to use +"$make" +as your make program, please add appropriate quotes +to the line in Config.pm. +MAKE_HAS_WHITESPACE + }; + }; + + %res; +}; package CPAN::Config; ####::###### #hide from indexer
Subject: Re: [rt.cpan.org #17877] CPAN should warn if CPAN::Config contains problematic entries
Date: Tue, 28 Feb 2006 08:33:42 +0100
To: bug-CPAN@rt.cpan.org
From: andreas.koenig.gmwojprw@franz.ak.mind.de (Andreas J. Koenig)
Show quoted text
>>>>> On Mon, 27 Feb 2006 10:52:46 -0500 (EST), "Max Maischein via RT" <bug-CPAN@rt.cpan.org> said:
Show quoted text
> Mon Feb 27 10:52:44 2006: Request 17877 was acted upon. > Transaction: Ticket created by CORION > Queue: CPAN > Subject: CPAN should warn if CPAN::Config contains problematic entries > Owner: Nobody > Requestors: CORION@cpan.org > Status: new > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=17877 >
Show quoted text
> I have my make utility installed in a path with whitespace in it > (actually, Microsoft chose so and I stayed with the default). > CPAN/FirstTime.pm adds $CPAN::Config->{make} as
Show quoted text
> 'make' => q[C:\Programme\Microsoft Visual C++ Toolkit 2003\bin\nmake.EXE],
Show quoted text
> which later on causes problems with the shell interpolation.
Se also http://perlmonks.org/?node_id=530600. As I have no idea what the various command shells on Windows do with and without quotes an with different sorts of quotes, I was waiting or the man to fix this. Thank you for dropping in:)
Show quoted text
> Of course, the Grand Big Scheme will be to exorcise all shell > interpolation and system(STRING) calls,
Which won't happen, because the user more or less already owns the space before and after every command and may exploit any feature or nonsense their shell exposes.
Show quoted text
> but the easy fix was to add appropriate quotes to my > CPAN/Config.pm like this:
Show quoted text
> 'make' => q["C:\Programme\Microsoft Visual C++ Toolkit > 2003\bin\nmake.EXE"],
Good.
Show quoted text
> I've patched CPAN::HandleConfig to add a C<sanity_check> method which > currently checks just that the C<make> entry is sane (that is, exists, > and if it contains whitespace, that it also has quotes at the start and > end). See the attached diff against 1.87, and the attached test file to > test it.
Thanks. Before I make any decisios I'd like to find out if there is no easier way out. My idea would be to add a _quotify_command method that always does the right thing with all the commands in $CPAN::Config before composing the shell command. That would probably involve if it starts an ends with the same quote character: leave it as it is if it contains no whitespace: leave it as it is if it contains whitespace, then if it contains quotes: better leave it as it is else: quote it with the correct quote type for the box we're on The whole thing would have to be guarded by a config variable 'commands_quote': if set, we will use this quote character, if not set or an empty string, we will guess the quoe character, an if set to an ordinary space, we will not try to quote commands. If this is feasible, hat would probably be the solution we should provide. What do you think? -- andreas
CC: undisclosed-recipients:;
Subject: Re: [rt.cpan.org #17877] CPAN should warn if CPAN::Config contains problematic entries
Date: Tue, 28 Feb 2006 08:28:45 +0100
To: bug-CPAN@rt.cpan.org
From: andreas.koenig.gmwojprw@franz.ak.mind.de (Andreas J. Koenig)
Show quoted text
>>>>> On Mon, 27 Feb 2006 10:52:46 -0500 (EST), "Max Maischein via RT" <bug-CPAN@rt.cpan.org> said:
Show quoted text
> Mon Feb 27 10:52:44 2006: Request 17877 was acted upon. > Transaction: Ticket created by CORION > Queue: CPAN > Subject: CPAN should warn if CPAN::Config contains problematic entries > Owner: Nobody > Requestors: CORION@cpan.org > Status: new > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=17877 >
Show quoted text
> I have my make utility installed in a path with whitespace in it > (actually, Microsoft chose so and I stayed with the default). > CPAN/FirstTime.pm adds $CPAN::Config->{make} as
Show quoted text
> 'make' => q[C:\Programme\Microsoft Visual C++ Toolkit 2003\bin\nmake.EXE],
Show quoted text
> which later on causes problems with the shell interpolation.
Se also http://perlmonks.org/?node_id=530600. As I have no idea what the various command shells on Windows do with and without quotes an with different sorts of quotes, I was waiting or the man to fix this. Thank you for dropping in:)
Show quoted text
> Of course, the Grand Big Scheme will be to exorcise all shell > interpolation and system(STRING) calls,
Which won't happen, because the user more or less already owns the space before and after every command and may exploit any feature or nonsense their shell exposes.
Show quoted text
> but the easy fix was to add appropriate quotes to my > CPAN/Config.pm like this:
Show quoted text
> 'make' => q["C:\Programme\Microsoft Visual C++ Toolkit > 2003\bin\nmake.EXE"],
Good.
Show quoted text
> I've patched CPAN::HandleConfig to add a C<sanity_check> method which > currently checks just that the C<make> entry is sane (that is, exists, > and if it contains whitespace, that it also has quotes at the start and > end). See the attached diff against 1.87, and the attached test file to > test it.
Thanks. Before I make any decisios I'd like to find out if there is no easier way out. My idea would be to add a _quotify_command method that always does the right thing with all the commands in $CPAN::Config before composing the shell command. That would probably involve if it starts an ends with the same quote character: leave it as it is if it contains no whitespace: leave it as it is if it contains whitespace, then if it contains quotes: better leave it as it is else: quote it with the correct quote type for the box we're on The whole thing would have to be guarded by a config variable 'commands_quote': if set, we will use this quote character, if not set or an empty string, we will guess the quoe character, an if set to an ordinary space, we will not try to quote commands. If this is feasible, hat would probably be the solution we should provide. What do you think? -- andreas
Fixed in 1.87_51


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.