Sat Jun 07 13:15:45 2014: Request 96291 was acted upon.
Transaction: Correspondence added by [email protected]
Queue: Inline
Subject: Re: [rt.cpan.org #96291] t/08taint.t fails on perl 5.20.0
Broken in: 0.55
Severity: (no value)
Owner: Nobody
Requestors: [email protected]
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96291 >
Hi Rob,
Per the discussion with mst on #perl (ex pumpkin holder), I propose (and
will do if you haven't already) that at the top of 08taint.t:
1. Check for existence of $ENV{PATH}
2. If not, set to '/bin:/usr/bin'
3. Test in $ENV{PATH} for 'make' and $Config{cc}
4. If found, continue; if not, skip (since there's nothing else reasonable
to do, and I prefer not to make people force install)
Do you approve of this strategy?
On the systems you tested on, did Configure find "truly secure setuid
scripts"? Mine said no - I predict that's why it zeroes the path.
Cheers,
Ed
-----Original Message-----
From: [email protected] via RT
Sent: Saturday, June 07, 2014 8:53 AM
To: [email protected]
Subject: Re: [rt.cpan.org #96291] t/08taint.t fails on perl 5.20.0
<URL: https://rt.cpan.org/Ticket/Display.html?id=96291 >
-----Original Message-----
From: Ed J via RT
> Confirmation from #perl on irc.perl.org - it's a deliberate change in perl
> 5.20.0. A quick fix would be either to explicitly set $ENV{PATH} to
> '/bin:/usr/bin', or skip the test for 5.20.0.
Really ? I thought it was purely dependent upon system configuration, and
completely independent of perl version.
On my Windows 7, Ubuntu 12.04, and Debian Wheezy systems the 08taint.t tests
pass (for perl-5.20.0 as well as earlier versions of perl).
> I hoped there would be a sensible value available in %Config, but there
> isn't.
I would happily dismantle Inline's attempted taint handling if:
a) Ingy gives his blessing for that to happen;
&&
b) there's a consensus that this is the right thing to do.
So far neither has happened.
In the meantime, patches are welcome.
I guess there are other things we could do - eg skip the 08taint.t test
script if (eg) $ENV{INLINE_NTT} was set. ("NTT" being a mnemonic for "No
Taint Testing").
I've no objection to doing that. In fact, I think I might do just that - it
comes at no cost to those who don't want to make use of the option.
However, I don't think I would like to force those tests to be skipped for
5.20. Someone might not notice that - and then get really annoyed because
the test suite didn't disclose to them that taint did not work.
Cheers,
Rob
