Item9100: Run pseudo-install.pl with warnings and taint..
Priority: Enhancement
Current State: Closed
Released In: 1.1.0
Target Release: minor
Applies To: Engine
Component:
Branches:
its not hard..
--
SvenDowideit - 03 Jun 2010
A bit harder than you thought, but... worth it
--
OlivierRaginel - 04 Jun 2010
awedom - yes, someone gave me a cold
--
SvenDowideit - 05 Jun 2010
Oups, forgot one unlink. Thanks CDot for spotting.
--
OlivierRaginel - 08 Jun 2010
WHY? What is the point of this?
--
CrawfordCurrie - 08 Jun 2010
Reopened to fix the deb autobuilder to support taint too.
--
DrakeDiedrich - 08 Jun 2010
Crawford - consistency of approach for one - and it means that migrating any code from there will be safe too.
tbh, I'd like pseudo-install to merge into configure so that we don't duplicate code, and work towards configure working from the command line.
if we get there, we should be able to ship
just the bootstrappable Configure script, which could then download the core and other components, set the defaults and go - either from the cmdline, or from a browser.
similarly, if configure were run from an svn co, it'd do the same but by symlinking things in.
--
SvenDowideit - 09 Jun 2010
Why do I have to fight with taint issues on pseudo-install now.
I run a script that has worked for years and suddenly I get
"-T" is on the #! line, it must also be used on the command line at pseudo-install.pl line 1.
This script is run from the command line by a developer who can enter any damaging commands anyway. Why do I have to be protected from tainted data running pseudo-install? Why do we need this? It makes no sense at all. It just creates problems for now gain.
What are we supposed to do now? Do we now always have to add -T to pseudo-install?
--
KennethLavrsen - 10 Jun 2010
Kenneth, yes, as I wrote in some email to the SVN list, all scripts calling pseudo-install.pl will now have to perl -T it.
--
OlivierRaginel - 13 Jun 2010
I just don't understand why we bother. It is a command line script. From a command line I can delete files. What are you trying to protect?
I see only problems from this and no solutions. And is it documented now in Development web?
--
KennethLavrsen - 14 Jun 2010
we bother because it is a normal way to improve code quality.
I did it specifically to track down a bug that caused strawberry perl on windows and pseudo-install
non-functional, and turning on what is considered to be 'normal good practice' found the issue, and I was able to fix it.
basically, -wT and strict would be the default in perl5 if they weren't worried about terminally breaking perl4 code.
--
SvenDowideit - 15 Jun 2010
Obviously nobody tested -copy, cos I get taint failures. Fixed now.
--
CrawfordCurrie - 13 Jul 2010