I'm using Ikiwiki on a box where I don't have root access, so I install all of my Perl modules in ~/lib. The ikiwiki.in script is ran in Taint mode, which means that it ignores the contents of $ENV{PERL5LIB}. The result is that the current versions of the pre-requisite modules I've installed in ~/lib are ignored by ./make, which uses the outdated, and therefore incompatible versions, from the system-wide @INC... ;-)
I imagine that there's a clean and elegant solution to this, but the hack I'm currently using is to have ./make alter ikiwki.in before it's run, by inserting use lib ... lines for each of the directories in $ENV{PERL5LIB}. Again, this is clearly ugly, but it allows me to run ./make, so I'm submitting it FWIW.
I don't like this patch because it's not expected that an environment
variable will stick around outside the shell that it's set in. It could
lead to suprising behavior if PERL5LIB happened to be set during build,
and it's even possible for it to lead to security issues, imagine if I
accidentially built the debian package of ikiwiki with PERL5LIB set --
then it would be hardcoded to look in /home/joey for libraries, which
someone with a "joey" account elsewhere could use to exploit it.
You could remove the taint switch locally, it's very unlikely to find
tainting problems that nobody else has noticed. --[[Joey]]
I completely understand rejecting this patch, but would you accept one to automate the removal of -T as a make option, then? I was trying to install Ikiwiki on a very popular
web host, and the aforementioned issue took quite a while to debug; I imagine many people would have simply given up. -- Ben
Well, the problem with an option is finding the option before you give
up. Maybe an option and adding some docs to the [[setup]] or [[tips]] page
about how to use ikiwiki with $BIG_HOSTING_PROVIDER, that can mention
the option. --[[Joey]]
I was going to write a guide for shared hosting setup anyway, so that sounds great. My make-fu is weak, so I don't know the Right Way to add an extra option, but here's a patch for removing the -T flag. -- Ben
|
