Update: I posted an update in a response below with a much simpler reproducible test case and some more insight about what is going on.
After putting aside the problem I asked about last year in Insecure dependency in mkdir while running with -T switch at ... File/Temp.pm line 542 I went back to it and made some headway. Now I would like to see if any of you esteemed monks with more insight into the inner workings of perl will have an idea about what is going on.
I distilled the problem down to the following code which fails only on certain CPAN testers that run various older Linux and FreeBSD distros with perl versions in the 5.16 to 5.20 range, but not on all testers running the same OS and perl versions, and not on any VM I set up trying to copy the different configurations of the failing testers. So the only way I can debug this is by submitting to CPAN and look at the failure reports.
The following sequence of code results in those testers getting the insecure dependency failure. The first line creates a tainted string that is an absolute directory path that exists. It doesn't seem to matter which directory or how I get it to be tainted. The second line has to consist of the -d expression and the call to file_name_is_absolute in that order. Even though both are true and therefore both are evaluated, the error only happens if it is done in that order. Also, the error does not happen if I make it two consecutive statements rather than combined by and. The third line is the call to tempdir in which the insecure dependency happens. In my tests the directory ./log does exist, but the program dies before it actually tries to make a subdirectory under it, and I haven't tested what happens if ./log doesn't exist. Notice that the ./log directory has nothing to do with $pathdir. Also, I happened to have started out with code that had use File::Temp qw(tempdir); so that's what's here, but the results are unchanged without the qw and with the function call line having File::Temp::tempdir
my $pathdir = $ENV{HOME}; (-d $pathdir) and File::Spec->file_name_is_absolute($pathdir); my $workdir = tempdir("temp.XXXXXX", DIR => "log");
I created an Acme module to test this, monkey patching some functions in File::Temp and File::Spec to narrow down where the taint happens. Here is one example report. All of the testers that exhibit the problem have the same results in the tests. The test t/a1.t demonstrates the failure with the above code. The other test files add monkey patching with carp output to narrow down exactly where something becomes tainted. In t/a4.t the output shows that File::Temp::tempdir calls File::Spec::Unix->catdir which calls File::Spec::Unix->canonpath passing it untainted values, and getting a tainted value returned back. In t/t5.t and t/t6.t I find that if I try to monkey patch File::Spec::Unix->canonpath even making the patch a duplicate of the original source code, the error does not happen, the return value is not tainted. I can't see anything in the code in File::Spec::Unix->canonpath that could possibly result in a tainted value given untainted input.
I specified File::Temp and File::Spec as required dependencies in Makefile.PL so that the reports would list which versions the testers were running. You can see that both are the latest released versions, which is what I based the monkey patches on.
Does this look like some obscure bug in these versions of perl? Any ideas?
In reply to Revisiting Insecure dependency in mkdir while running with -T switch at ... File/Temp.pm line 542 by sidney
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |