search

xslate / p5-Mouse

Lightweight class builder for Perl, as a subset of Moose
https://metacpan.org/release/Mouse
Other
46 stars 32 forks source link

Mouse won't build for perls without . in @INC. #69

Closed toddr closed 7 years ago

toddr commented 7 years ago

As a result of CVE-2016-1238, In 5.26 it will be a build option to make a perl without . in @INC. This requires the script writer to be explicit if they want to load modules from relative paths.

For more info you can also see https://rt.perl.org/Ticket/Display.html?id=130467 and https://rt.perl.org/Ticket/Display.html?id=127810 for core perl discussions.

My doc is here http://blogs.perl.org/users/todd_rinaldo/2016/11/how-removing-from-inc-is-about-to-break-cpan.html



$>perl Build.PL
Can't locate builder/MyBuilder.pm in @INC (you may need to install the builder::MyBuilder module) (@INC contains: /home/smoker/perl5/lib/perl5/5.25.9/x86_64-linux /home/smoker/perl5/lib/perl5/5.25.9 /home/smoker/perl5/lib/perl5/x86_64-linux /home/smoker/perl5/lib/perl5 /perl/5.25.9/lib/site_perl/5.25.9/x86_64-linux /perl/5.25.9/lib/site_perl/5.25.9 /perl/5.25.9/lib/5.25.9/x86_64-linux /perl/5.25.9/lib/5.25.9) at Build.PL line 12.
BEGIN failed--compilation aborted at Build.PL line 12.
toddr commented 7 years ago

I looked at a possible patch and unfortunately the complexity of builder/MyBuild.pm makes this difficult to patch with anything short of altering @INC in Build.PL

toddr commented 7 years ago

https://github.com/gfx/p5-Mouse/pull/70

karenetheridge commented 7 years ago

Minilla's MB code should be fixed too.

andk commented 7 years ago

Also interesting: I let CPAN 2.17 build SYOHEX/Mouse-v2.4.8.tar.gz with a v5.25.9 with -Ddefault_inc_excludes_dot and all tests passed but then the 'make install' failed with:

Running Build install
Prepending /tmp/loop_over_bdir-10799-NW2b1u/Mouse-v2.4.8-0/blib/arch /tmp/loop_over_bdir-10799-NW2b1u/Mouse-v2.4.8-0/blib/lib to PERL5LIB for 'install'
==========monitoring proc 10803 perl /home/sand/src/perl/repoperls/installed-perls/host/k93x64xenial/v5.25.9/fe7e secs 99.0000=======
Can't locate builder/MyBuilder.pm in @INC (you may need to install the builder::MyBuilder module) (@INC contains: /tmp/loop_over_bdir-10799-NW2b1u/Mouse-v2.4.8-0/_build/lib /tmp/loop_over_bdir-10799-NW2b1u/Mouse-v2.4.8-0/blib/arch /tmp/loop_over_bdir-10799-NW2b1u/Mouse-v2.4.8-0/blib/lib /home/sand/src/perl/repoperls/installed-perls/host/k93x64xenial/v5.25.9/fe7e/lib/site_perl/5.25.9/x86_64-linux /home/sand/src/perl/repoperls/installed-perls/host/k93x64xenial/v5.25.9/fe7e/lib/site_perl/5.25.9 /home/sand/src/perl/repoperls/installed-perls/host/k93x64xenial/v5.25.9/fe7e/lib/5.25.9/x86_64-linux /home/sand/src/perl/repoperls/installed-perls/host/k93x64xenial/v5.25.9/fe7e/lib/5.25.9) at /tmp/loop_over_bdir-10799-NW2b1u/Mouse-v2.4.8-0/_build/lib/MyBuilder.pm line 2.
BEGIN failed--compilation aborted at /tmp/loop_over_bdir-10799-NW2b1u/Mouse-v2.4.8-0/_build/lib/MyBuilder.pm line 2.
Compilation failed in require at ./Build line 40.
BEGIN failed--compilation aborted at ./Build line 40.
  SYOHEX/Mouse-v2.4.8.tar.gz
  ./Build install --uninst 1 -- NOT OK

This may force us to add the PERL_USE_UNSAFE_INC environment also to the install gears of CPAN.pm. Or maybe there are better ideas?

karenetheridge commented 7 years ago 
# in Build.PL:
use lib 'builder';
use MyBuilder;

# in builder/MyBuilder.pm:
package MyBuilder;
toddr commented 7 years ago

@andk I just tested the pull request in Minilla (https://github.com/tokuhirom/Minilla/pull/216) and built a new Mouse with it. This seems to fix the problem. Build install worked after that.

toddr commented 7 years ago

At this point, it looks like you should be good to update to Minilla v3.0.10, which will re-generate Build.PL correctly on your next release.

Thanks!

syohex commented 7 years ago

https://metacpan.org/release/SYOHEX/Mouse-v2.4.9

I have released new version.

toddr commented 7 years ago

You rock! Thank you