Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

parse versions statically when possible #291

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

haarg
Copy link
Member

@haarg haarg commented Mar 3, 2017

This is incomplete, but is a start at addressing #288.

Parsing version declarations by evaling them is rather unsafe. It would
be possible to improve the security of that by using a Safe container.
However, Safe.pm is an XS module and EUMM has to work without any XS.
Safe.pm should only be unavailable when compiling perl core though, and
the versions in perl core can all be parsed statically.

This patch takes the first step, by implementing static parsing of
versions that follow common patterns. Later, a Safe container can be
added for the eval code path. We may consider adding a warning for
the more exotic forms, and possibly rejecting them in the far future.

There are currently some inconsistencies. Primarily, unquoted versions are extracted as strings rather than their parsed values. So the following version declarations will be parsed differently:

$VERSION = 0.0;
$VERSION = 1.200_003;
$VERSION = v1.2;
$VERSION = 1.2.3;

Parsing version declarations by evaling them is rather unsafe.  It would
be possible to improve the security of that by using a Safe container.
However, Safe.pm is an XS module and EUMM has to work without any XS.
Safe.pm should only be unavailable when compiling perl core though, and
the versions in perl core can all be parsed statically.

This patch takes the first step, by implementing static parsing of
versions that follow common patterns.  Later, a Safe container can be
added for the eval code path.  We may consider adding a warning for
the more exotic forms, and possibly rejecting them in the far future.
@karenetheridge
Copy link
Member

karenetheridge commented Mar 3, 2017 via email

@haarg
Copy link
Member Author

haarg commented Mar 6, 2017

I don't love the idea of adding another prereq to EUMM.

@haarg
Copy link
Member Author

haarg commented Apr 6, 2017

@karenetheridge Maybe we could move this code (and any further version parsing code) into an ExtUtils::ParseVersion or something that could be packaged with EUMM and both EUMM and Module::Metadata could use it. Then we can share the code without dealing with more bundling or prereqs in EUMM.

@karenetheridge
Copy link
Member

@haarg that would be eminently feasible, and make it a lot easier to wrangle future fixes to Module::Metadata as well.

I'll take some of my rambling thoughts to #toolchain for now (and we have the hackathon coming up soon too to work things out)..

@haarg haarg marked this pull request as draft September 13, 2020 13:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants