On Thu, Nov 13, 2008 at 3:39 AM, Shlomi Fish <[EMAIL PROTECTED]> wrote: >> What I was expressing is that the CPAN shell can do the twiddling to strip >> flags at the point of extraction, rather than PAUSE stopping it at the >> gate. Archive::Tar already does this (see >> $Archive::Tar::INSECURE_EXTRACT_MODE). > > Archive::Tar does, but Archive::Extract (which CPANPLUS uses) doesn't.
It was a bug. Addressed in 0.28 as a result of these discussions. The next non-development release of CPANPLUS will use the new Archive::Extract and close the security hole under discussion. -- David