Skip Menu |
 

This queue is for tickets about the Test-Harness CPAN distribution.

Report information
The Basics
Id: 43266
Status: resolved
Priority: 0/
Queue: Test-Harness

People
Owner: Nobody in particular
Requestors: wyant [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)



Subject: Taint code superfluous - and perhaps harmful
On attempting to install IPC::System::Simple 1.18 and App::Ack 1.88, I got test failures on those tests that required taint checking. A typical result (from IPC::System::Simple) was t/07_taint............Can't open perl script ""-I/Users/tom/Library/Application Support/.cpan/build/IPC-System-Simple-1.18-sBuaPJ/inc"": No such file or directory I attempted to track this to earth, and discovered that the command in question was issued by TAP::Parser::Iterator::Process, which attempts to run Perl using open3(), or failing that by quoting all its arguments and using a pipe open. A hook in TAP::Parser::Source::Perl showed the command arguments at that point to be PERL_DL_NONLAZY=1 /usr/local/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'inc', 'blib/lib', 'blib/arch')" t/07_taint.t Debug - @command is '/usr/local/bin/perl''-w''"-I/Users/tom/Library/Application Support/.cpan/build/IPC-System-Simple-1.18-VIOjqh/inc"''"-I/Users/tom/Library/Application Support/.cpan/build/IPC-System-Simple-1.18-VIOjqh/blib/lib"''"-I/Users/tom/Library/Application Support/.cpan/build/IPC-System-Simple-1.18-VIOjqh/blib/arch"''-T''-I/Users/tom/Library/Application Support/.cpan/build/IPC-System-Simple-1.18-VIOjqh/inc''-I/Users/tom/Library/Application Support/.cpan/build/IPC-System-Simple-1.18-VIOjqh/blib/lib''-I/Users/tom/Library/Application Support/.cpan/build/IPC-System-Simple-1.18-VIOjqh/blib/arch''-I/sw/lib/perl5''-I/sw/lib/perl5/darwin''t/07_taint.t' at /usr/local/lib/perl5/5.10.0/TAP/Parser/Source/Perl.pm line 162. It appears that since shell processing is not done in open3() as used by TAP::Parser::Iterator::Process, the leading '"' causes "-I/Users/tom/Library/Application Support/.cpan/build/IPC-System-Simple-1.18-VIOjqh/inc" to be taken as the name of the script to run. It also appears that someone (in the TAP::Parser maze, I assume) is also shoving the contents of PERL5LIB into the argument list, so that Test::Harness does not need to do this. At any rate, I removed the extra-argument code in Test::Harness, and the tests ran successfully, the generated command line being Debug - @command is ('/usr/local/bin/perl', '-w', '-T', '-I/Users/tom/Library/Application Support/.cpan/build/IPC-System-Simple-1.18-VIOjqh/inc', '-I/Users/tom/Library/Application Support/.cpan/build/IPC-System-Simple-1.18-VIOjqh/blib/lib', '-I/Users/tom/Library/Application Support/.cpan/build/IPC-System-Simple-1.18-VIOjqh/blib/arch', '-I/sw/lib/perl5', '-I/sw/lib/perl5/darwin', 't/07_taint.t') at /usr/local/lib/perl5/5.10.0/TAP/Parser/Source/Perl.pm line 162. t/07_taint............ok The thing is, this is not the whole story, because the tainted tests do not fail if there is no whitespace in the path to 'inc'. I guess that something in TAP::Parser is quoting the arguments when it should not do so. I have attached a unified diff of my changes, though I can't imagine the changes being applied as-is. My configuration: Test::Harness v 3.14 TAP::Parser v 3.14 perl v5.10.0 os - Darwin 9.6.0 (Mac OS X 10.5.6) Please let me know if I can provide any further information, or otherwise be of assistance. Tom Wyant
Except I lied when I said I attached the diff. Here it is, with my apologies. Tom Wyant
--- Harness.old 2008-09-13 09:29:26.000000000 -0400 +++ Harness.pm 2009-02-13 13:35:40.000000000 -0500 @@ -139,6 +139,19 @@ my $path_pat = qr{$path_sep}; my @extra_inc = _filtered_inc(); +=begin comment + + # The following appears not only to be superfluous (since + # TAP::Parser also maps PERL5LIB to -I if we're in taint mode) + # but actually harmful (since TAP::Parser::Iterator::Process + # uses open3() or a reasonable approximation, and therefore + # there is no shell processing, the '"' hides the '-I' and + # Perl thinks the whole thing is the name of a script to run). + # This is not the whole story, since the quotes are not being + # added to the argument here, and in fact tests using -T work + # fine if the directories being included via -I do not have + # whitespace in their names. + # Supply -I switches in taint mode $harness->callback( parser_args => sub { @@ -149,6 +162,10 @@ } ); +=end comment + +=cut + my $previous = $ENV{PERL5LIB}; local $ENV{PERL5LIB};
This appears to me to be fixed in Test-Harness-3.16. Thanks. Tom Wyant


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.