Mailing-List: contact dev-help@perl.apache.org; run by ezmlm
Precedence: bulk
Message-ID: <40D9F2CD.7010001@ectoplasm.org>
Date: Wed, 23 Jun 2004 14:14:53 -0700
From: "Philippe M. Chiasson" <gozer@ectoplasm.org>
User-Agent: Mozilla Thunderbird 0.7 (X11/20040615)
MIME-Version: 1.0
To: Stas Bekman <stas@stason.org>
Cc: dev@perl.apache.org
Subject: Re: [Patch mp2] Statically compiling mod_perl in httpd (take 2)
References: <40B6238C.7070202@ectoplasm.org> <40B62F7F.6000405@stason.org>
 <40CE1EE0.8080300@ectoplasm.org> <40CECDEB.60004@stason.org>
 <40CF88BC.6040505@ectoplasm.org> <40CFF0C8.1030304@stason.org>
 <40D9C9C4.6030803@ectoplasm.org> <40D9E2F7.9060701@stason.org>
In-Reply-To: <40D9E2F7.9060701@stason.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit


Stas Bekman wrote:
> Philippe M. Chiasson wrote:
> 
>>
>>Stas Bekman wrote:
>>
>>
>>>Philippe M. Chiasson wrote:
>>>[...]
>>>
>>>
>>>>>>+    $ENV{PATH} = '/bin:/usr/bin:/usr/local/bin';
>>>>>>   my $handle = Symbol::gensym();
>>>>>>   open $handle, "$cmd|" or die "$cmd failed: $!";
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>What do you need that for and why the hardcoded paths?
>>>>
>>>>
>>>>
>>>>That's an artefact from my builds that I could remove, I guess. It's 
>>>>because if you run a static build and tests against a non-installed 
>>>>httpd
>>>>build, the actual httpd binary is a smart libtool shell script plucking
>>>>things from .libs/ and such, right? And it uses plenty of ls, sed, 
>>>>grep and
>>>>friends. When those things are not in the path anymore, the httpd binary
>>>>(shell script) will not work at all.
>>>>
>>>>Of course, I don't think there are a lot of folks out there that 
>>>>would run
>>>>tests that way without installing httpd, but I do.
>>>
>>>
>>>
>>>Sure, but the problem is the hardcoded paths, which could quite vary 
>>>from machine to machine. I think, instead, one should launder the 
>>>original shell's $PATH in this particular case and use it unmodified 
>>>(sans making -T happy).
>>
>>
>>I agree that hard-coding a path like this isn't quite a good idea.
>>
>>But I am not sure what you mean with "sans making -T happy". I can see 
>>how one
>>could untaint $PATH, but not really how to insure it's clean (except by 
>>setting
>>it to arbitrary value, like /bin:/usr/bin:/usr/local/bin)
> 
> 
> It's a test suite. I fail to see what danger could happen with /(.*)/ 
> laundering of $PATH. You can't possibly know what the PATH will be besides the 
> common components.

That sounds like an acceptable assumption to me, so something like this would
be okay then ?

  sub open_cmd {
      my($self, $cmd) = @_;
      # untaint some %ENV fields
-    local @ENV{ qw(PATH IFS CDPATH ENV BASH_ENV) };
-
+    local @ENV{ qw(IFS CDPATH ENV BASH_ENV) };
+    # untaint but keep PATH
+    (local $ENV{PATH}) = ($ENV{PATH} =~ /(.*)/);
      my $handle = Symbol::gensym();
      open $handle, "$cmd|" or die "$cmd failed: $!";


> 

-- 
--------------------------------------------------------------------------------
Philippe M. Chiasson m/gozer\@(apache|cpan|ectoplasm)\.org/ GPG KeyID : 88C3A5A5
http://gozer.ectoplasm.org/     F9BF E0C2 480E 7680 1AE5 3631 CB32 A107 88C3A5A5

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org