Skip Menu |
 

This queue is for tickets about the YAML-Syck CPAN distribution.

Report information
The Basics
Id: 62608
Status: resolved
Priority: 0/
Queue: YAML-Syck

People
Owner: Nobody in particular
Requestors: MARKLE [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in:
  • 1.13
  • 1.15
Fixed in: (no value)



Subject: use somehow interferes w/ Getopt::Long integers when setuid
Download (untitled) / with headers
text/plain 2.5k
This was a real stumper. At first I was going to file a bug against Getopt::Long, but then I tried my test script with regular 'YAML' and it worked correctly. It seems that use of YAML::Syck in a setuid script (and only when setuid) interferes with only the 'integer' type in Getopt::Long. This is a really weird one. I am using perl 5.8.8 in CentOS. I will try YAML::Syck 1.15 in a moment. --mark-- hedges@vm5:~$ cat /tmp/lamer.pl #!/usr/bin/perl use strict; use warnings FATAL => 'all'; use English '-no_match_vars'; use Getopt::Long; use YAML; my %args = (); warn "raw script args:\n".Dump(\@ARGV); my $result = GetOptions( 'integer=i' => \$args{integer}, 'string=s' => \$args{string}, 'float=f' => \$args{float}, ); warn "getopt script args:\n".Dump(\%args); hedges@vm5:~$ ls -lah /tmp/lamer.pl -rwxr-x--- 1 root hedges 353 Oct 31 23:07 /tmp/lamer.pl hedges@vm5:~$ /tmp/lamer.pl --float 2.3 --integer 1 --string foobar raw script args: --- - --float - 2.3 - --integer - 1 - --string - foobar getopt script args: --- float: 2.3 integer: 1 string: foobar hedges@vm5:~$ sudo chmod u+s /tmp/lamer.pl hedges@vm5:~$ ls -lah /tmp/lamer.pl -rwsr-x--- 1 root hedges 353 Oct 31 23:07 /tmp/lamer.pl hedges@vm5:~$ /tmp/lamer.pl --float 2.3 --integer 1 --string foobar raw script args: --- - --float - 2.3 - --integer - 1 - --string - foobar getopt script args: --- float: 2.3 integer: 1 string: foobar hedges@vm5:~$ sudo perl -pi -e 's/YAML/YAML::Syck/' /tmp/lamer.pl hedges@vm5:~$ cat /tmp/lamer.pl #!/usr/bin/perl use strict; use warnings FATAL => 'all'; use English '-no_match_vars'; use Getopt::Long; use YAML::Syck; my %args = (); warn "raw script args:\n".Dump(\@ARGV); my $result = GetOptions( 'integer=i' => \$args{integer}, 'string=s' => \$args{string}, 'float=f' => \$args{float}, ); warn "getopt script args:\n".Dump(\%args); hedges@vm5:~$ ls -lah /tmp/lamer.pl -rwsr-x--- 1 root hedges 359 Oct 31 23:09 /tmp/lamer.pl hedges@vm5:~$ /tmp/lamer.pl --float 2.3 --integer 1 --string foobar raw script args: --- - --float - '2.3' - --integer - 1 - --string - foobar getopt script args: --- float: '2.3' integer: ~ string: foobar hedges@vm5:~$ sudo chmod u-s /tmp/lamer chmod: cannot access `/tmp/lamer': No such file or directory hedges@vm5:~$ sudo chmod u-s /tmp/lamer.pl hedges@vm5:~$ ls -lah /tmp/lamer.pl -rwxr-x--- 1 root hedges 359 Oct 31 23:09 /tmp/lamer.pl hedges@vm5:~$ /tmp/lamer.pl --float 2.3 --integer 1 --string foobar raw script args: --- - --float - '2.3' - --integer - 1 - --string - foobar getopt script args: --- float: '2.3' integer: 1 string: foobar
yup, broken in 1.15 also
Download (untitled) / with headers
text/plain 909b
On Mon Nov 01 02:17:05 2010, MARKLE wrote: Show quoted text
> yup, broken in 1.15 also
Tried updating all yum packages in CentOS and upgrading all CPAN packages with the CPAN shell. No luck, same results. I'm going to workaround by using YAML.pm. --mark-- hedges@vm5:~$ perl --version This is perl, v5.8.8 built for i386-linux-thread-multi Copyright 1987-2006, Larry Wall Perl may be copied only under the terms of either the Artistic License or the GNU General Public License, which may be found in the Perl 5 source kit. Complete documentation for Perl, including FAQ lists, should be found on this system using "man perl" or "perldoc perl". If you have access to the Internet, point your browser at http://www.perl.org/, the Perl Home Page. hedges@vm5:~$ yum info perl Loaded plugins: fastestmirror Installed Packages Name : perl Arch : i386 Epoch : 4 Version : 5.8.8 Release : 32.el5_5.2
Download (untitled) / with headers
text/plain 185b
I tried adding a Getopt::Long flag option and YAML::Syck does not interfere with that when the script is setuid - only integer types. I will also contact the developer of Getopt::Long.
Download (untitled) / with headers
text/plain 231b
Show quoted text
> I will also contact the developer of Getopt::Long.
I tried this on Fedora 14, perl 5.12.0, YAML::Syck 1.07. No problems at all. I'm puzzled about your version of YAML::Syck. 1.07 is most recent, yet you mention version 1.15...
Download (untitled) / with headers
text/plain 408b
Nope, look up YAML::Syck in http://search.cpan.org. 1.15 is the most recent. I'm installing modules with CPAN. 'install YAML::Syck' installs version 1.15. Maybe CPAN:AVAR uploaded a devel version without setting the flag? I wouldn't be at all surprised if this bug is particular to the weirdness with perl 5.8.8 and only in (Last)Cent(ury)OS. Something to do with XS building or the linked libs? Mark
RT-Send-CC: jv [...] cpan.org, MARKLE [...] cpan.org
Download (untitled) / with headers
text/plain 703b
On Wed Nov 03 17:43:19 2010, MARKLE wrote: Show quoted text
> Nope, look up YAML::Syck in http://search.cpan.org. 1.15 is the most > recent. I'm installing modules with CPAN. 'install YAML::Syck' > installs version 1.15. Maybe CPAN:AVAR uploaded a devel version without > setting the flag?
1.15 is only one of many recent changes to try to clean up some long standing open issues with this module. See http://cpansearch.perl.org/src/AVAR/YAML-Syck-1.15/Changes Show quoted text
> I wouldn't be at all surprised if this bug is particular to the > weirdness with perl 5.8.8 and only in (Last)Cent(ury)OS. Something to > do with XS building or the linked libs?
Which very well could be. I will try with a clean perl to re-produce.
Mark, do you continue to see issues with the most recent release (1.20)?
Ticket migrated to github as https://github.com/toddr/YAML-Syck/issues/41


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.