Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Re: Date::Manip and taint mode

by Anonymous Monk
on Jun 18, 2020 at 05:00 UTC ( [id://11118220]=note: print w/replies, xml ) Need Help??


in reply to Date::Manip and taint mode

I was bugged by the fact that this works on Linux but not FreeBSD so I spent some time poking at a VM.

What I think is going on is that Date::Manip::TZ tries to get the time zone in a few different ways and finally uses shell commands. I think it probably uses files on Linux but winds up running a shell command on FreeBSD. Since $ENV{ENV} is defined on FreeBSD, we get...

$ perl -T -MDate::Manip::DM6 -E 'say $Date::Manip::VERSION' Insecure $ENV{ENV} while running with -T switch at /usr/local/lib/perl +5/site_perl/Date/Manip/TZ.pm line 844.
The line that provokes the error is
open(IN,$cmd |") || return ();

I believe the answer is that you need to clean up $ENV{ENV} but I suppose that might also be something that Date::Manip::TZ should be doing.

If worse comes to worst, there seem to be a lot of ways to configure the time zone so maybe you can find one that avoids the shell.

FWIW, the old version 5 interface doesn't have this problem.

$ DATE_MANIP=DM5 perl -T -MDate::Manip -E 'say $Date::Manip::VERSION' 6.81

2020-06-21 Athanasius changed "Data::Manip::TZ" link to "Date::Manip::TZ".

Replies are listed 'Best First'.
Re^2: Date::Manip and taint mode
by parv (Parson) on Jun 18, 2020 at 05:13 UTC

    Nothing but a newline is printed here (FreeBSD 12.1-STABLE r358002, perl 5.30.3, /bin/sh & zsh) for ...

    $ perl -T -MDate::Manip::DM6 -E 'say $Date::Manip::VERSION'

    I get the same output -- 6.81 -- for both of ...

    $ DATE_MANIP=DM5 perl -T -MDate::Manip -E 'say $Date::Manip::VERSION' $ DATE_MANIP=DM6 perl -T -MDate::Manip -E 'say $Date::Manip::VERSION'

    ... without any error messages. For me $ENV{ENV} is undefined in both shells; I have not explicitly (un)set it myself.

    After explicitly making ENV an environment variable for the exercise, error messages are certainly reproducible. So something is stuffing ENV for you and possibly for OP. Wait ...

    Ah. I see I did set ENV to shell configuration file path in long unused profile for Bourne shell (sh) & in bash{rc,_profile} for bash.

      Interesting, stuffing up ENV brings the error to Linux too.

      $ ENV=blah perl -T -MDate::Manip -E 'say $Date::Manip::VERSION' ERROR LOADING MODULE: Date::Manip::DM6 at /usr/share/perl5/vendor_perl +/Date/Manip.pm line 35.

      I'm still on Bourne shell as I just set up a FreeBSD VM to mess around with kqueue.

        I've never run into this (though I don't use taint mode very often). I just ran the same command (setting ENV=blah on linux) and it ran without error. I'm investigating to see if I can fix Date::Manip to not suffer from this taint issue.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11118220]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others chanting in the Monastery: (6)
As of 2024-03-29 09:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found