Fix complaints about insecure $ENV{ENV}

beyondgrep / ack2

**ack 2 is no longer being maintained. ack 3 is the latest version.**

https://github.com/beyondgrep/ack3/

Other

1.48k stars 140 forks source link

Fix complaints about insecure $ENV{ENV} #493

Closed rkleemann closed 10 years ago

rkleemann commented 10 years ago

Insecure $ENV{ENV} while running with -T switch at t/Util.pm line 325.

hoelzro commented 10 years ago

Merged, thanks!

petdance commented 10 years ago

Is it documented somewhere that $ENV{ENV} is insecure? Is it a new thing that came after my creation of the tests?

rkleemann commented 10 years ago

From perlsec.pod, http://search.cpan.org/~rjbs/perl-5.20.0/pod/perlsec.pod:

The PATH isn't the only environment variable which can cause problems. Because some shells may use the variables IFS, CDPATH, ENV, and BASH_ENV, Perl checks that those are either empty or untainted when starting subprocesses. You may wish to add something like this to your setid and taint-checking scripts.

delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};   # Make %ENV safer

petdance commented 10 years ago

Thanks for catching, because I don't know how it is that I've never had ENV in the list to delete.

Any reason we should not also delete BASH_ENV while we're at it?

rkleemann commented 10 years ago

I would say BASH_ENV should be added to the list.

pjfl commented 9 years ago

September 2014 and this distribution still fails to install from CPAN. Is this distribution abandoned?

pjfl commented 9 years ago

@petdance bump

petdance commented 9 years ago

No, this distro is not abandoned.

pjfl commented 9 years ago

On 19/06/15 16:29, Andy Lester wrote:

No, this distro is not abandoned.

Good, glad to hear it. Would you please push the patched copy to CPAN since it not installing without force?

Regards