https://bugzilla.redhat.com/show_bug.cgi?id=1629642 Bug ID: 1629642 Summary: Module version generator should evaluate $VERSION assignment Product: Fedora Version: rawhide Component: perl-generators Keywords: FutureFeature Assignee: jplesnik@xxxxxxxxxx Reporter: ppisar@xxxxxxxxxx QA Contact: extras-qa@xxxxxxxxxxxxxxxxx CC: jplesnik@xxxxxxxxxx, perl-devel@xxxxxxxxxxxxxxxxxxxxxxx, ppisar@xxxxxxxxxx Many Perl modules uses very indirect way for declaring module versions. E.g. Encode-2.98's Encode::Byte uses: our $VERSION = do { my @r = ( q$Revision: 2.4 $ =~ /\d+/g ); sprintf "%d." . "%02d" x $#r, @r }; Thus the intended module version is "2.04", while current perl-generator sees "2.4". These two Perl versions have different meaning (2.040.000 version 2.400.000). It would be great if perl-generators evaluated the "our $VERSION =" lines by perl and used that value instead of parsing the lines. This is how CPAN extracts the versions. Be ware that this can lead to executing any arbitrary code (e.g. executing external commands). There can be used some countermeasures like "Safe" module or running the eval in a forked process, but these cannot prevent from all the attack vectors. On the other hand, the generator is usually executed by rpmbuild after executing Makefile.PL and other later scanned code, thus the use case of building RPM packages does not posses any new security issues. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ perl-devel mailing list -- perl-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to perl-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@xxxxxxxxxxxxxxxxxxxxxxx