David Golden wrote:
Sorry -- I wasn't clear. CPAN::PERL5INC just gets a list of
directories from a YAML data file and unshifts them to @INC. It can
use any of the YAML modules that provide LoadFile().
The issue appears to be that YAML::Syck returns a tainted data
structure. It doesn't happen with YAML or YAML::Tiny. I would
presume that YAML and YAML::Tiny use regexes to parse the YAML file
and that leads to an untainted structure.
I'm attaching my test files if anyone cares to see for themselves.
Just pass the YAML module you want to use as an argument to p5inc.pl
and it runs foo.t through the harness (using the -T flag in the
shebang line).
Pass this tidbit along to the YAML module authors?
The patch I committed to the CPAN repository just explicitly untaints
each directory before unshifting to @INC.
Excellent. I look forward to PASSes for UNIVERSAL::require. :)
--
But there's no sense crying over every mistake.
You just keep on trying till you run out of cake.
-- Jonathan Coulton, "Still Alive"