Re: Taint mode testing and project Phalanx
On Wed, Oct 22, 2003 at 08:17:06AM -0700, Bob Goolsby (bogoolsb) wrote: > Actually, that is an argument for running two sets of tests, one vanilla, > the other Tainted. > > And that raises the question "Who's bug is it?" if something passes the > test package under normal conditions, but fails under -T. Are we seeing a > real problem in the Package, or another -T weirdity? If a module hits a taint bug in the core, its Perl's bug but its the module's problem. Unless the author is going to make the decision to not support taint mode, they've got to be aware of the problem and attempt a work around. Same issue with any core bug I'm afraid. Fortunately, there's an easy way to tell the difference between a proper taint failure and a failure due to a taint bug. If the taint test dies with an "Insecure dependency" you've probably got a normal taint failure. If it fails in any other way differently then a normal run you've got a bug in taint. -- Michael G Schwern[EMAIL PROTECTED] http://www.pobox.com/~schwern/ AY! The ground beef, she is burning my groin! http://sluggy.com/d/990105.html
Re: Taint mode testing and project Phalanx
At 04:39 PM 10/21/2003 -0700, Michael G Schwern wrote: On Tue, Oct 21, 2003 at 12:34:44PM -0500, Dave Rolsky wrote: > Anyway, my taint mode experience has been that random things break in very > weird ways when using it. All the more reason to test with it on. :) -- Michael G Schwern[EMAIL PROTECTED] http://www.pobox.com/~schwern/ Do not try comedy at home! Milk & Cheese are advanced experts! Attempts at comedy can be dangerously unfunny! Actually, that is an argument for running two sets of tests, one vanilla, the other Tainted. And that raises the question "Who's bug is it?" if something passes the test package under normal conditions, but fails under -T. Are we seeing a real problem in the Package, or another -T weirdity? B Bob Goolsby [EMAIL PROTECTED] (408) 853-2055
Re: Taint mode testing and project Phalanx
Andrew Savige wrote in perl-qa :
>
> Given the differences in behaviour with taint mode, it seems to me
> that for a "taint mode test" (i.e. one with -wT in its first line)
> Test::Harness should run the test twice -- once with taint mode and
> once without. Though I suppose there might be a case where you want
> to run the test in taint mode only, so maybe Test::Harness needs
> some options to control this.
Following this idea, I just added to bleadperl (change 21515)
a "make test.taintwarn" target that runs the test suite with the
-t (taint warnings) command-line flags.
It spits out a lot of "Insecure dependency" warnings, and several
tests fail. Notably, tests that install $SIG{__WARN__} handlers
are unhappy to catch taint warnings in it. However some failures
may require more careful investigation.
Re: Taint mode testing and project Phalanx
On Tue, 21 Oct 2003, Michael G Schwern wrote: > On Tue, Oct 21, 2003 at 12:34:44PM -0500, Dave Rolsky wrote: > > Anyway, my taint mode experience has been that random things break in very > > weird ways when using it. > > All the more reason to test with it on. :) At this point I've become rather disgusted with it. When taint mode breaks pos(), and as a result your regex-based parser blows up in weird ways, and you spend many, many hours figuring out what exactly is happening, and then can't reduce it to a simple test case, you tend to get a little peeved. Tim's #ifdef idea for testing taint mode seems like a really good idea. Once I know it's well tested in the core, I'll be happy to test my own modules with it. -dave /*=== House Absolute Consulting www.houseabsolute.com ===*/
Re: Taint mode testing and project Phalanx
Michael G Schwern wrote: > On Tue, Oct 21, 2003 at 12:34:44PM -0500, Dave Rolsky wrote: >> Anyway, my taint mode experience has been that random things break in very >> weird ways when using it. > > All the more reason to test with it on. :) Given the differences in behaviour with taint mode, it seems to me that for a "taint mode test" (i.e. one with -wT in its first line) Test::Harness should run the test twice -- once with taint mode and once without. Though I suppose there might be a case where you want to run the test in taint mode only, so maybe Test::Harness needs some options to control this. /-\ http://personals.yahoo.com.au - Yahoo! Personals New people, new possibilities. FREE for a limited time.
Re: Taint mode testing and project Phalanx
On Tue, Oct 21, 2003 at 12:34:44PM -0500, Dave Rolsky wrote: > Anyway, my taint mode experience has been that random things break in very > weird ways when using it. All the more reason to test with it on. :) -- Michael G Schwern[EMAIL PROTECTED] http://www.pobox.com/~schwern/ Do not try comedy at home! Milk & Cheese are advanced experts! Attempts at comedy can be dangerously unfunny!
Re: Taint mode testing and project Phalanx
On Tue, Oct 21, 2003 at 12:34:44PM -0500, Dave Rolsky wrote: > > Anyway, my taint mode experience has been that random things break in very > weird ways when using it. I'd guess that many extensions don't handle magic properly. Extension authors rarely add the extra logic, even if they know what logic needs to be added. Same possible applies to more obscure parts of perl. Proof of concept, for anyone that has the time: modify perl with a #idef so that all values are tainted but disable the tainted expression exception so that they're harmless. See what tests fail. Tim.
Re: Taint mode testing and project Phalanx
On Mon, 20 Oct 2003, Michael G Schwern wrote:
> On Tue, Oct 21, 2003 at 12:24:03AM -0500, Dave Rolsky wrote:
> > On Mon, 20 Oct 2003, Andrew Savige wrote:
> > > I noticed in Test::Tutorial:
> > > "Taint mode is a funny thing. It's the globalest of all global features.
> > > Once you turn it on it effects all code in your program and all modules
> > > used (and all the modules they use). If a single piece of code isn't
> > > taint clean, the whole thing explodes. With that in mind, it's very
> > > important to ensure your module works under taint mode."
> >
> > Not to mention that it's buggy as hell. For example, in various versions
> > of Perl I've used there have been rather serious bugs in the regex engine
> > when taint mode is on, even when dealing with untainted variables!
>
> I've never hit anything like this. Do you have examples?
Well, one example comes from my Params::Validate module, where I have this
little bit of XS:
while (he = hv_iternext(p)) {
/* This may be related to bug #7387 on bugs.perl.org */
#if (PERL_VERSION == 5)
if (! PL_tainting)
#endif
SvGETMAGIC(HeVAL(he));
Whee, a random taint related bug.
Then there was the time I found that pos() didn't get updated inside
s/\G...//gc matches when taint mode was on, for certain versions of
Perl working with some strings (but not others). I don't think this
bug exists in the current version any more.
I could never reproduce this in a concise example, unfortunately.
Anyway, my taint mode experience has been that random things break in very
weird ways when using it.
-dave
/*===
House Absolute Consulting
www.houseabsolute.com
===*/
Re: Taint mode testing and project Phalanx
On Mon, Oct 20, 2003 at 10:27:34PM -0700, Michael G Schwern wrote:
> On Tue, Oct 21, 2003 at 12:24:03AM -0500, Dave Rolsky wrote:
> > Not to mention that it's buggy as hell. For example, in various versions
> > of Perl I've used there have been rather serious bugs in the regex engine
> > when taint mode is on, even when dealing with untainted variables!
>
> I've never hit anything like this. Do you have examples?
http://rt.perl.org/rt2/Ticket/Display.html?id=24248
variations on the theme of
#!perl -T
{
local $ENV{PATH} = "/bin";
my $r = "foo";
$ARGV[0] =~ /($r)/;
my $c = "echo $1";
system $c;
}
__END__
http://rt.perl.org/rt2/Ticket/Display.html?id=22270
where I don't agree with any of the explainations (IIRC) and stand by the
bug. (But ran out of time to find a better explaination)
Nicholas Clark
Re: Taint mode testing and project Phalanx
On Tue, Oct 21, 2003 at 12:24:03AM -0500, Dave Rolsky wrote: > On Mon, 20 Oct 2003, Andrew Savige wrote: > > I noticed in Test::Tutorial: > > "Taint mode is a funny thing. It's the globalest of all global features. > > Once you turn it on it effects all code in your program and all modules > > used (and all the modules they use). If a single piece of code isn't > > taint clean, the whole thing explodes. With that in mind, it's very > > important to ensure your module works under taint mode." > > Not to mention that it's buggy as hell. For example, in various versions > of Perl I've used there have been rather serious bugs in the regex engine > when taint mode is on, even when dealing with untainted variables! I've never hit anything like this. Do you have examples? -- Michael G Schwern[EMAIL PROTECTED] http://www.pobox.com/~schwern/ Loon.
Re: Taint mode testing and project Phalanx
On Mon, 20 Oct 2003, Andrew Savige wrote: > I noticed in Test::Tutorial: > "Taint mode is a funny thing. It's the globalest of all global features. > Once you turn it on it effects all code in your program and all modules > used (and all the modules they use). If a single piece of code isn't > taint clean, the whole thing explodes. With that in mind, it's very > important to ensure your module works under taint mode." Not to mention that it's buggy as hell. For example, in various versions of Perl I've used there have been rather serious bugs in the regex engine when taint mode is on, even when dealing with untainted variables! I for one think taint mode is rather hopeless until taint mode itself gets better testing in the Perl core. > What are general opinions re taint tests for CPAN modules? > (i.e. a test with #!perl -Tw as the first line of the test). See above. -dave /*=== House Absolute Consulting www.houseabsolute.com ===*/
Re: Taint mode testing and project Phalanx
-BEGIN PGP SIGNED MESSAGE- Moin, On Monday 20 October 2003 04:07, Andrew Savige wrote: > I noticed in Test::Tutorial: > "Taint mode is a funny thing. It's the globalest of all global features. > Once you turn it on it effects all code in your program and all modules > used (and all the modules they use). If a single piece of code isn't > taint clean, the whole thing explodes. With that in mind, it's very > important to ensure your module works under taint mode." > > I don't have much practical experience with taint mode testing, > however, and was wondering how important taint mode testing is > to project Phalanx. Hm, good idea. I have a large project at work, which almost exclusively runs under Taint (it's a server/client thingy). However, the testsuite largely tests under non-taint mode. Hm. Should basically all modules be tested under taind and non-taint, even though they usually are not developed with this in mind? E.g. running their one suite twice, w/ & w/o -T? Best wishes, Tels - -- Signed on Mon Oct 20 18:28:35 2003 with key 0x93B84C15. Visit my photo gallery at http://bloodgate.com/photos/ PGP key on http://bloodgate.com/tels.asc or per email. "Ivonna Humpalot" -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) Comment: When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl. iQEVAwUBP5QNQncLPEOTuEwVAQGjNQf7BosSLPwq9XPqzcgaJhH12NRtoQxATieU r2KpnwGUvK+zEg8mxiMxKY4s7HKg2AyhDZoJD0WLkg2TjWEm5CAg0HOs3RYdUjOS 4dmq6gLpq9z8o0adD4i2LKDVIim40IOYFOzm8hFTQ5fnvTgT/QAKG3pNhJw2pv5N f3xzTcKuouH8yfk7fvSiC6mLWA0o9p1fqGs1onV4UnWyJ6Efn0yOsb3Vi73sbE34 RmeQp4UQLbToqXKGi3v1Aa+np09A3Us0ADbZcsnxoVuH6t9zK8FaT1UWKnsVBN5A YoDQ4t6rAn31Wc1zfp2FGII4cQu0bZN1ZDrkvBogD3fB4gw0GoutXA== =PBTb -END PGP SIGNATURE-
Re: Taint mode testing and project Phalanx
On Mon, Oct 20, 2003 at 12:07:48PM +1000, Andrew Savige wrote: > On the down-side: while taint tests seem to work fine for me with > Perl 5.6.0 and above, I experienced problems with Perl 5.005 which > failed with something like "cannot locate Fred/Fred.pm in @INC" > when running taint tests. I have hardly investigated this: does > anyone out there regularly run taint mode tests with Perl 5.005? Older versions of Test::Harness look like they're adding blib/lib to the @INC of the test by using PERL5LIB instead of -I. Taint causes PERL5LIB to be ignored. Try upgrading Test::Harness. It should work back to 5.4.0. -- Michael G Schwern[EMAIL PROTECTED] http://www.pobox.com/~schwern/ You and your "facts" and your "physics". Pah, I say. http://www.goats.com/archive/981221.html
Taint mode testing and project Phalanx
I noticed in Test::Tutorial: "Taint mode is a funny thing. It's the globalest of all global features. Once you turn it on it effects all code in your program and all modules used (and all the modules they use). If a single piece of code isn't taint clean, the whole thing explodes. With that in mind, it's very important to ensure your module works under taint mode." I don't have much practical experience with taint mode testing, however, and was wondering how important taint mode testing is to project Phalanx. What are general opinions re taint tests for CPAN modules? (i.e. a test with #!perl -Tw as the first line of the test). Further to Schwern's Test::Tutorial preach to the kwire above, taint mode tests seem worthwhile to me because: 1) They may catch silly errors in module code. For example: $x = `date`; is not taint-safe, while: $x = scalar localtime; is. Clearly, the latter is preferable. 2) They further exercise Perl itself (part of the Phalanx charter). On the down-side: while taint tests seem to work fine for me with Perl 5.6.0 and above, I experienced problems with Perl 5.005 which failed with something like "cannot locate Fred/Fred.pm in @INC" when running taint tests. I have hardly investigated this: does anyone out there regularly run taint mode tests with Perl 5.005? /-\ http://personals.yahoo.com.au - Yahoo! Personals New people, new possibilities. FREE for a limited time.
