Item9100: Run pseudo-install.pl with warnings and taint..

pencil
Priority: Enhancement
Current State: Closed
Released In: 1.1.0
Target Release: minor
Applies To: Engine
Component:
Branches:
Reported By: SvenDowideit
Waiting For:
Last Change By: KennethLavrsen
its not hard..

-- SvenDowideit - 03 Jun 2010

A bit harder than you thought, but... worth it smile

-- OlivierRaginel - 04 Jun 2010

awedom - yes, someone gave me a cold smile

-- SvenDowideit - 05 Jun 2010

Oups, forgot one unlink. Thanks CDot for spotting.

-- OlivierRaginel - 08 Jun 2010

WHY? What is the point of this?

-- CrawfordCurrie - 08 Jun 2010

Reopened to fix the deb autobuilder to support taint too.

-- DrakeDiedrich - 08 Jun 2010

Crawford - consistency of approach for one - and it means that migrating any code from there will be safe too.

tbh, I'd like pseudo-install to merge into configure so that we don't duplicate code, and work towards configure working from the command line.

if we get there, we should be able to ship just the bootstrappable Configure script, which could then download the core and other components, set the defaults and go - either from the cmdline, or from a browser.

similarly, if configure were run from an svn co, it'd do the same but by symlinking things in.

-- SvenDowideit - 09 Jun 2010

Why do I have to fight with taint issues on pseudo-install now.

I run a script that has worked for years and suddenly I get

"-T" is on the #! line, it must also be used on the command line at pseudo-install.pl line 1.

This script is run from the command line by a developer who can enter any damaging commands anyway. Why do I have to be protected from tainted data running pseudo-install? Why do we need this? It makes no sense at all. It just creates problems for now gain.

What are we supposed to do now? Do we now always have to add -T to pseudo-install?

-- KennethLavrsen - 10 Jun 2010

Kenneth, yes, as I wrote in some email to the SVN list, all scripts calling pseudo-install.pl will now have to perl -T it.

-- OlivierRaginel - 13 Jun 2010

I just don't understand why we bother. It is a command line script. From a command line I can delete files. What are you trying to protect?

I see only problems from this and no solutions. And is it documented now in Development web?

-- KennethLavrsen - 14 Jun 2010

we bother because it is a normal way to improve code quality.

I did it specifically to track down a bug that caused strawberry perl on windows and pseudo-install non-functional, and turning on what is considered to be 'normal good practice' found the issue, and I was able to fix it.

basically, -wT and strict would be the default in perl5 if they weren't worried about terminally breaking perl4 code.

-- SvenDowideit - 15 Jun 2010

Obviously nobody tested -copy, cos I get taint failures. Fixed now.

-- CrawfordCurrie - 13 Jul 2010
 
Topic revision: r35 - 04 Oct 2010, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy