perl-Taint-Runtime/perl-Taint-Runtime.spec

#
# spec file for package perl-Taint-Runtime
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#


%define cpan_name Taint-Runtime
Name:           perl-Taint-Runtime
Version:        0.30.0
Release:        0
# 0.03 -> normalize -> 0.30.0
%define cpan_version 0.03
License:        Artistic-1.0 OR GPL-1.0-or-later
Summary:        Runtime enable taint checking
URL:            https://metacpan.org/release/%{cpan_name}
Source0:        https://cpan.metacpan.org/authors/id/R/RH/RHANDOM/%{cpan_name}-%{cpan_version}.tar.gz
Source100:      README.md
BuildRequires:  perl
BuildRequires:  perl-macros
Provides:       perl(Taint::Runtime) = %{version}
%undefine       __perllib_provides
%{perl_requires}

%description
First - you probably shouldn't use this module to control taint. You should
probably use the -T switch on the commandline instead. There are a somewhat
limited number of legitimate use cases where you should use this module
instead of the -T switch. Unless you have a specific and good reason for
not using the -T option, you should use the -T option.

Taint is a good thing. However, few people (that I work with or talk to or
discuss items with) use taint even though they should. The goal of this
module isn't to use taint less, but to actually encourage its use more.
This module aims to make using taint as painless as possible (This can be
an argument against it - often implementation of security implies pain - so
taking away pain might lessen security - sort of).

In general - the more secure your script needs to be - the earlier on in
your program that tainting should be enabled. For most setuid scripts, you
should enable taint by using the -T switch. Without doing so you allow for
a non-root user to override @INC which allows for them to put their own
module in the place of trusted modules. This is bad. This is very bad. Use
the -T switch.

There are some common places where this module may be useful, and where
most people don't use it. One such place is in a web server. The -T switch
removes PERL5LIB and PERLLIB and '.' from @INC (or remove them before they
can be added). This makes sense under setuid. The use of the -T switch in a
CGI environment may cause a bit of a headache. For new development, CGI
scripts it may be possible to use the -T switch and for mod_perl
environments there is the PerlTaint variable. Both of these methods will
enable taint and from that point on development should be done with taint.

However, many (possibly most) perl web server implentations add their own
paths to the PERL5LIB. All CGI's and mod_perl scripts can then have access.
Using the -T switch throws a wrench into the works as suddenly PERL5LIB
disappears (mod_perl can easily have the extra directories added again
using <perl>push @INC, '/our/lib/dir';</perl>). The company I work for has
200 plus user visible scripts mixed with some mod_perl. Currently none of
the scripts use taint. We would like for them all to, but it is not
feasible to make the change all at once. Taint::Runtime allows for moving
legacy scripts over one at a time.

Again, if you are using setuid - don't use this script.

If you are not using setuid and have reasons not to use the -T and are
using this module, make sure that taint is enabled before processing any
user data. Also remember that BECAUSE THE -T SWITCH WAS NOT USED %ENV IS
INITIALLY NOT MARKED AS TAINTED. Call taint_env() to mark it as tainted
(especially important in CGI scripts which all read from
$ENV{'QUERY_STRING'}).

If you are not using the -T switch, you most likely should use the
following at the very top of your script:

  #!/usr/bin/perl -w

  use strict;
  use Taint::Runtime qw(enable taint_env);
  taint_env();

Though this module allows for you to turn taint off - you probably
shouldn't. This module is more for you to turn taint on - and once it is on
it probably ought to stay on.

%prep
%autosetup  -n %{cpan_name}-%{cpan_version}

%build
perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}"
%make_build

%check
make test

%install
%perl_make_install
%perl_process_packlist
%perl_gen_filelist

%files -f %{name}.files
%doc Changes README

%changelog