Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options

Date::Manip and taint mode

by byfr81 (Initiate)
on Jun 17, 2020 at 06:02 UTC ( #11118171=perlquestion: print w/replies, xml ) Need Help??

byfr81 has asked for the wisdom of the Perl Monks concerning the following question:


I have a problem when i load the module Date::Manip and taint mode is active in my script :
ERROR LOADING MODULE: Date::Manip::DM6 at /usr/local/lib/perl5/site_perl/Date/ line 35.

When i don't put the taint mode, the problem disappears. I am on FreeBSD 12.1-RELEASE-p2 and version of Date::Manip is 6.82

Does anyone here have the solution ?

Thank you.

Replies are listed 'Best First'.
Re: Date::Manip and taint mode
by Corion (Pope) on Jun 17, 2020 at 06:29 UTC

    Look at @INC. If you populate it from the outside, for example by setting PERL5LIB, taint mode will ignore that.

    The best approach is to set up @INC from within your script, using use lib;.

      Corion, could you please elaborate on that? How, exactly, is taint-mode triggering the library not being loaded, an how, exactly, does your suggestion address it? No question that you surely are right ... but to an outsider with less knowledge than you have it isn't easy to see why.

        If you don't have PERL5LIB set in your environment, the problem is somewhere else.

        The variable @INC is the search path where Perl looks for modules. You can inspect the module search path by running perl -V on the command line.

        The value of @INC is influenced by the environment variable PERL5LIB, see perlrun and perlvar on @INC.

        The link I posted explains that the environment variable PERL5LIB is ignored under taint mode.

        The module lib is a convenient way to set up @INC (which PERL5LIB also sets) from within a Perl program.

Re: Date::Manip and taint mode
by hippo (Chancellor) on Jun 17, 2020 at 14:05 UTC

    I am unable to reproduce your problem. I'm not on FreeBSD, however.

    $ perl -v | head -3 This is perl 5, version 30, subversion 0 (v5.30.0) built for x86_64-li +nux $ perl -T -MDate::Manip -E 'say $Date::Manip::VERSION;' 6.82 $

    If you could provide an SSCCE then perhaps it would help to show where the problem really lies.

    Update: following parv's uncovering the likely culprit I confirm that this reproduces the error for me too:

    $ ENV=foo perl -T -MDate::Manip -E 'say $Date::Manip::VERSION;' ERROR LOADING MODULE: Date::Manip::DM6 at /path/to/perlbrew/perls/perl +-5.30.0/lib/site_perl/5.30.0/Date/ line 35. Compilation failed in require. BEGIN failed--compilation aborted. $
Re: Date::Manip and taint mode
by Anonymous Monk on Jun 18, 2020 at 05:00 UTC

    I was bugged by the fact that this works on Linux but not FreeBSD so I spent some time poking at a VM.

    What I think is going on is that Date::Manip::TZ tries to get the time zone in a few different ways and finally uses shell commands. I think it probably uses files on Linux but winds up running a shell command on FreeBSD. Since $ENV{ENV} is defined on FreeBSD, we get...

    $ perl -T -MDate::Manip::DM6 -E 'say $Date::Manip::VERSION' Insecure $ENV{ENV} while running with -T switch at /usr/local/lib/perl +5/site_perl/Date/Manip/ line 844.
    The line that provokes the error is
    open(IN,$cmd |") || return ();

    I believe the answer is that you need to clean up $ENV{ENV} but I suppose that might also be something that Date::Manip::TZ should be doing.

    If worse comes to worst, there seem to be a lot of ways to configure the time zone so maybe you can find one that avoids the shell.

    FWIW, the old version 5 interface doesn't have this problem.

    $ DATE_MANIP=DM5 perl -T -MDate::Manip -E 'say $Date::Manip::VERSION' 6.81

    2020-06-21 Athanasius changed "Data::Manip::TZ" link to "Date::Manip::TZ".

      Nothing but a newline is printed here (FreeBSD 12.1-STABLE r358002, perl 5.30.3, /bin/sh & zsh) for ...

      $ perl -T -MDate::Manip::DM6 -E 'say $Date::Manip::VERSION'

      I get the same output -- 6.81 -- for both of ...

      $ DATE_MANIP=DM5 perl -T -MDate::Manip -E 'say $Date::Manip::VERSION' $ DATE_MANIP=DM6 perl -T -MDate::Manip -E 'say $Date::Manip::VERSION'

      ... without any error messages. For me $ENV{ENV} is undefined in both shells; I have not explicitly (un)set it myself.

      After explicitly making ENV an environment variable for the exercise, error messages are certainly reproducible. So something is stuffing ENV for you and possibly for OP. Wait ...

      Ah. I see I did set ENV to shell configuration file path in long unused profile for Bourne shell (sh) & in bash{rc,_profile} for bash.

        Interesting, stuffing up ENV brings the error to Linux too.

        $ ENV=blah perl -T -MDate::Manip -E 'say $Date::Manip::VERSION' ERROR LOADING MODULE: Date::Manip::DM6 at /usr/share/perl5/vendor_perl +/Date/ line 35.

        I'm still on Bourne shell as I just set up a FreeBSD VM to mess around with kqueue.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://11118171]
Approved by kcott
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (6)
As of 2021-06-14 09:59 GMT
Find Nodes?
    Voting Booth?
    What does the "s" stand for in "perls"? (Whence perls)

    Results (62 votes). Check out past polls.