Brian Fraser via RT
2014-02-23 18:10:56 UTC
Sun Feb 23 13:10:55 2014: Request 65703 was acted upon.
Transaction: Correspondence added by Hugmeir
Queue: Inline
Subject: Build Problem - Inline::C fails at t/08taint.t
Broken in: (no value)
Severity: (no value)
Owner: Nobody
Requestors: alexander.haeckel-S0/***@public.gmane.org
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=65703 >
tl;dr: Skipping the tests when $^O eq 'android' would probably be for the best, if that filter is going to stay.
Android's an interesting case. It's basically a linux system that doesn't provide any toolchain whatsoever, so you either have to install one yourself (and to do that, you need to root your phone and probably create/mount an ext3/4 partition in your sdcard) or have an app install it for you. Either way, the toolchain ends up in a non-standard location with non-standard permissions, and to use it you need to tweak with it's permissions and/or be root.
There's probably no ideal solution here, but either way my suggestion is to have the module skip t/08taint.t under Android, and then to have env_untaint actually check if an entry is already untainted (with Scalar::Util::tainted in perl>=5.8, and whatever the eval invocation in older perls is); if it is, trust it as-is, no need to filter anything. That way, if someone wants to use Inline on Android under taint, they can do it by manually untainting $ENV{PATH}, which they should've been doing on the first place :)
Transaction: Correspondence added by Hugmeir
Queue: Inline
Subject: Build Problem - Inline::C fails at t/08taint.t
Broken in: (no value)
Severity: (no value)
Owner: Nobody
Requestors: alexander.haeckel-S0/***@public.gmane.org
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=65703 >
The problem here as I see it ist the use of
(stat("/usr/bin"))[2] & 0022
instead of
(stat("/usr/bin"))[2] & 0002
, because you must be authorized to write into
the first case, but needn't be in the second.
If you exclude 0020 you could exclude 0200 for
the same reasons.
To me it would seem more consistent to use the -w, -W operators
to check for every directory in the path if it
is writable at all. Then you can omit the
join ':', grep {not /^\./ and -d $_ and not -w $_ || -W $_
} split /:/, $ENV{PATH};
This issue just bit me when smoking CPAN on Android. Unfortunately, the above solution doesn't work for me.(stat("/usr/bin"))[2] & 0022
instead of
(stat("/usr/bin"))[2] & 0002
, because you must be authorized to write into
the first case, but needn't be in the second.
If you exclude 0020 you could exclude 0200 for
the same reasons.
To me it would seem more consistent to use the -w, -W operators
to check for every directory in the path if it
is writable at all. Then you can omit the
join ':', grep {not /^\./ and -d $_ and not -w $_ || -W $_
} split /:/, $ENV{PATH};
tl;dr: Skipping the tests when $^O eq 'android' would probably be for the best, if that filter is going to stay.
Android's an interesting case. It's basically a linux system that doesn't provide any toolchain whatsoever, so you either have to install one yourself (and to do that, you need to root your phone and probably create/mount an ext3/4 partition in your sdcard) or have an app install it for you. Either way, the toolchain ends up in a non-standard location with non-standard permissions, and to use it you need to tweak with it's permissions and/or be root.
There's probably no ideal solution here, but either way my suggestion is to have the module skip t/08taint.t under Android, and then to have env_untaint actually check if an entry is already untainted (with Scalar::Util::tainted in perl>=5.8, and whatever the eval invocation in older perls is); if it is, trust it as-is, no need to filter anything. That way, if someone wants to use Inline on Android under taint, they can do it by manually untainting $ENV{PATH}, which they should've been doing on the first place :)