Stas Bekman <[EMAIL PROTECTED]> wrote:
:Unfortunately ExtUtils::MM_Unix->parse_version is unusable, because it doesn't :work under -T :( That leaves me no choice but to duplicate loads of code :(
[...]
:Here is the fix against blead perl:
:--- lib/ExtUtils/MM_Unix.pm.orig 2004-03-23 12:06:37.153572807 -0800
:+++ lib/ExtUtils/MM_Unix.pm 2004-03-23 17:27:25.849684620 -0800
:@@ -3092,6 +3092,8 @@
: next if $inpod || /^\s*#/;
: chop;
: next unless /(?<!\\)([\$*])(([\w\:\']*)\bVERSION)\b.*\=/;
:+ # untaint
:+ { local($1, $2); ($_ = $_) = /(.*)/; }
: my $eval = qq{
: package ExtUtils::MakeMaker::_version;
: no strict;
Hmm, so we read some text from an arbitrary file, then eval a selected line from that (after wrapping it up some). Making that "work under -T" simply by treating all possible strings as safe seems like a bad idea - I think the existing behaviour is probably more correct, unless you are going to provide a regexp that'll match only guaranteed-safe code fragments.
If your particular -T script knows when parse_version is being called, and upon what files, and has already taken separate steps to determine that these files should be trusted, then that's fine. But to modify parse_version in a way that assumes the caller has done that seems inappropriate to me - for your case I think it would be more reasonable to duplicate the function to make a parse_version_from_trusted_file(). Whether such an additional function would also be suitable for inclusion in ExtUtils::* I don't know.
May be you are right, Hugo, in which case perl provides no function to figure a version number without first loading the module. Besides, no module that ever wants to run under -T environment can use ExtUtils::MM_Unix->parse_version, because it will break. If you have an alternative solution, please suggest it.
Besides, If you are going to say:
require Foo;
doesn't it make Foo trusted enough to make contents of Foo.pm trusted for eval STRING?
__________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
