https://bugzilla.redhat.com/show_bug.cgi?id=2130625
--- Comment #4 from Petr Pisar <ppisar(a)redhat.com> ---
perl-Inline-0.86-10.el9 damages multi-line environment variables.
A reproducer with perl-Inline-C:
$ rm -rf _Inline; perl -Ilib -e 'use Inline Config => UNTAINT => 1; use Inline
C => q{void foo(void) { return; }};'
In Inline::env_untaint() : Blindly untainting tainted fields in %ENV.
In Inline::check_config_file(): Blindly untainting Inline configuration file
information.
In Inline::env_untaint() : Blindly untainting tainted fields in %ENV.
In Inline::obj_untaint() : Blindly untainting tainted fields in Inline object.
sh: which: line 1: syntax error: unexpected end of file
sh: error importing function definition for `which'
sh: which: line 1: syntax error: unexpected end of file
sh: error importing function definition for `which'
sh: which: line 1: syntax error: unexpected end of file
sh: error importing function definition for `which'
The error messages come from bash because BASH_FUNC_which%%=() shell function
set in /etc/profile.d/which2.sh (which-2.21-28.el9). It's not reproducible in
Fedora 38 because "which" package stopped defining the shell function.
The environment variable is damaged in Inline::env_untaint() with this regular
expression:
for (keys %ENV) {
($ENV{$_}) = $ENV{$_} =~ /(.*)/;
}
That was confirmed with a debugging warnings around the regexp:
UNTAIN BEFORE: BASH_FUNC_which%%=() { ( alias;
eval ${which_declare} ) | /usr/bin/which --tty-only --read-alias
--read-functions --show-tilde --show-dot $@
} at ../../perl-Inline/Inline-0.86/lib/Inline.pm line 1089.
UNTAIN AFTER: BASH_FUNC_which%%=() { ( alias; at
../../perl-Inline/Inline-0.86/lib/Inline.pm line 1091.
A pure Inline reproducer:
$ perl -Ilib -e 'use Inline; $ENV{foo}="a\nb"; Inline::env_untaint(); print
"<$ENV{foo}>\n"'
In Inline::env_untaint() : Blindly untainting tainted fields in %ENV.
<a>
A fix is posted at <
https://github.com/ingydotnet/inline-pm/pull/80>.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2130625