Skip Menu |
 

This queue is for tickets about the HTML-Template CPAN distribution.

Report information
The Basics
Id: 26456
Status: resolved
Priority: 0/
Queue: HTML-Template

People
Owner: Nobody in particular
Requestors: admin [...] photoresearchers.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: taint mode check against force_untaint will fail in perl versions < 5.8
Date: Tue, 17 Apr 2007 15:05:20 -0400
To: bug-HTML-Template [...] rt.cpan.org
From: Administrator <admin [...] photoresearchers.com>
Download (untitled) / with headers
text/plain 492b
In Template.pm (v2.9), the following bit of code # make sure taint mode is on if force_untaint flag is set if ($options->{force_untaint} && ! ${^TAINT}) { croak("HTML::Template->new() : 'force_untaint' option set but perl does not run in taint mode!"); } ... will be triggered in version of perl < 5.8 even when running in taint mode because the variable ${^TAINT} wasn't introduced until perl 5.8. You may want to include a condition for the perl version as well here.
From: sven-bitcard [...] sven.de
Download (untitled) / with headers
text/plain 197b
Thanks for pointing this out. I guess instead of looking at ${^TAINT} we could do "Scalar::Util::tainted($0)" however this isn't foolproof because $0 can be untainted by a program. Any other ideas?
From: admin [...] photoresearchers.com
Show quoted text
> Any other ideas?
Well, first the use of ${^TAINT} should be bundled with an evaluation of $PERL_VERSION to make sure that the statement is evaluating a meaningful truth condition. For perl versions 5.6, this check could conceivably be ignored. Alternately, you could consider using a module like Dan Sugalski's "Taint" (CPAN user dsugal) to force the taint setting on something that you then test with Scalar::Util::tainted(). Here again you wouldn't want to require this for versions 5.8 and higher, but could require it for 5.6. I'm not sure if you want to use your own perl hack to accomplish this, but that's another option as well. The main issue is that perl5.6 is perfectly capable of running in taint mode, and users of your module may very well want to use the "force_untaint" option with this knowledge of perl5.6 without getting caught up in errors and warnings. Documentation indicating that the taint mode check can't be run reliably in versions of perl prior to 5.8 ("use at your own risk") would be sufficient and preferable to croaking.
From: admin [...] photoresearchers.com
Download (untitled) / with headers
text/plain 230b
More specifically, the condition "! ${^TAINT}" is insufficient because it evaluates to true even when ${^TAINT} is undefined. This condition should check that ${^TAINT} is defined and false to rise to the level of croak()ing.
Download (untitled) / with headers
text/plain 159b
This is fixed in the upcoming 2.10 version of HTML::Template. 2.10 will warn if they aren't using at least Perl 5.8.0 but won't croak if force_untaint is true.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.