From ae6efa261eb0bb18217881e8320b8af215174eb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Tue, 12 Nov 2019 16:38:03 +0100 Subject: [PATCH] Fix taint mode documentation regarding @INC --- ...-clearer-about-taint-s-effect-on-INC.patch | 32 +++++++++++++ ...1.5-Fix-taint-mode-INC-documentation.patch | 45 +++++++++++++++++++ perl.spec | 9 ++++ 3 files changed, 86 insertions(+) create mode 100644 perl-5.31.5-Be-clearer-about-taint-s-effect-on-INC.patch create mode 100644 perl-5.31.5-Fix-taint-mode-INC-documentation.patch diff --git a/perl-5.31.5-Be-clearer-about-taint-s-effect-on-INC.patch b/perl-5.31.5-Be-clearer-about-taint-s-effect-on-INC.patch new file mode 100644 index 0000000..5c69996 --- /dev/null +++ b/perl-5.31.5-Be-clearer-about-taint-s-effect-on-INC.patch @@ -0,0 +1,32 @@ +From a1c1fa25b1b25efb11cc8f987e007d4dd20056bc Mon Sep 17 00:00:00 2001 +From: Dave Cross +Date: Wed, 23 Oct 2019 12:50:01 +0100 +Subject: [PATCH] Be clearer about taint's effect on @INC. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Petr Písař +--- + pod/perlsec.pod | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/pod/perlsec.pod b/pod/perlsec.pod +index 0682674143..a631981ba5 100644 +--- a/pod/perlsec.pod ++++ b/pod/perlsec.pod +@@ -269,8 +269,9 @@ problem will be reported: + Insecure dependency in require while running with -T switch + + On versions of Perl before 5.26, activating taint mode will also remove +-the current directory (".") from C<@INC>. Since version 5.26, the +-current directory isn't included in C<@INC>. ++the current directory (".") from the default value of C<@INC>. Since ++version 5.26, the current directory isn't included in C<@INC> by ++default. + + =head2 Cleaning Up Your Path + +-- +2.21.0 + diff --git a/perl-5.31.5-Fix-taint-mode-INC-documentation.patch b/perl-5.31.5-Fix-taint-mode-INC-documentation.patch new file mode 100644 index 0000000..099a6ea --- /dev/null +++ b/perl-5.31.5-Fix-taint-mode-INC-documentation.patch @@ -0,0 +1,45 @@ +From f73351928dfa1d1d564d3f7b8e63c5281ed835ee Mon Sep 17 00:00:00 2001 +From: Dave Cross +Date: Tue, 22 Oct 2019 14:24:13 +0100 +Subject: [PATCH] Fix taint mode @INC documentation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Explain that -T no longer removes '.' from @INC because, since +5.26, '.' isn't in @INC to start with. + +Signed-off-by: Petr Písař +--- + pod/perlsec.pod | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/pod/perlsec.pod b/pod/perlsec.pod +index b210445685..0682674143 100644 +--- a/pod/perlsec.pod ++++ b/pod/perlsec.pod +@@ -245,8 +245,8 @@ Unix-like environments that support #! and setuid or setgid scripts.) + + =head2 Taint mode and @INC + +-When the taint mode (C<-T>) is in effect, the "." directory is removed +-from C<@INC>, and the environment variables C and C ++When the taint mode (C<-T>) is in effect, the environment variables ++C and C + are ignored by Perl. You can still adjust C<@INC> from outside the + program by using the C<-I> command line option as explained in + L. The two environment variables are ignored because +@@ -268,6 +268,10 @@ problem will be reported: + + Insecure dependency in require while running with -T switch + ++On versions of Perl before 5.26, activating taint mode will also remove ++the current directory (".") from C<@INC>. Since version 5.26, the ++current directory isn't included in C<@INC>. ++ + =head2 Cleaning Up Your Path + + For "Insecure C<$ENV{PATH}>" messages, you need to set C<$ENV{'PATH'}> to +-- +2.21.0 + diff --git a/perl.spec b/perl.spec index 94272c6..84121a4 100644 --- a/perl.spec +++ b/perl.spec @@ -268,6 +268,10 @@ Patch63: perl-5.30.1-perl-125557-correctly-handle-overload-for-bin-oct-fl # in upstream after 5.31.4 Patch64: perl-5.31.4-Handle-undefined-values-correctly.patch +# Fix taint mode documentation regarding @INC, in upstream after 5.31.5 +Patch65: perl-5.31.5-Fix-taint-mode-INC-documentation.patch +Patch66: perl-5.31.5-Be-clearer-about-taint-s-effect-on-INC.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2853,6 +2857,8 @@ rm -rf .git # Perl tests examine a git repository %patch62 -p1 %patch63 -p1 %patch64 -p1 +%patch65 -p1 +%patch66 -p1 %patch200 -p1 %patch201 -p1 @@ -2912,6 +2918,8 @@ perl -x patchlevel.h \ 'Fedora Patch62: Fix a detection for futimes (RT#134432)' \ 'Fedora Patch63: Fix overloading for binary and octal floats (RT#125557)' \ 'Fedora Patch64: Fix handling undefined array members in Dumpvalue (RT#134441)' \ + 'Fedora Patch65: Fix taint mode documentation regarding @INC' \ + 'Fedora Patch66: Fix taint mode documentation regarding @INC' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5160,6 +5168,7 @@ popd * Tue Nov 12 2019 Petr Pisar - 4:5.30.1-448 - Fix overloading for binary and octal floats (RT#125557) - Fix handling undefined array members in Dumpvalue (RT#134441) +- Fix taint mode documentation regarding @INC * Mon Nov 11 2019 Jitka Plesnikova - 4:5.30.1-447 - 5.30.1 bump (see