Allow component modules to be loaded from any path #117
Conversation
jrha
force-pushed
the
remove-hasfile
branch
2 times, most recently
from
865af62
to
38c7ea1
Compare
|
@jrha i don't know the original reason not to use the perl system path, but this is against that (obviously). it also allows to pick up any component from PERL5LIB env variable, not sure that is an issue. we can probably add a restriction to also consider the perl builtin INC paths, and not only also, please add unittests |
jrha
force-pushed
the
remove-hasfile
branch
2 times, most recently
from
e8b4e5f
to
6ea1a0a
Compare
|
I guess @Piojo might have some insight into the benefits of path restrictions, I assumed that these were just kludges left over from pre EL6 days. I'll sort out the tests later, just wanted to get this out so we could discuss it. |
Fetch::Config: existing attributes and parameters should precede resp parameters and configvalues
|
Make sure I squash these commits before this gets merged. |
|
we agreed during the workshop of april 2018 to allow this, and this will be merged once reviewed |
|
@jrha just a minor remark, this is otherwise good to go |
jrha
force-pushed
the
remove-hasfile
branch
3 times, most recently
from
5ba8b87
to
effff19
Compare
|
Well I broke it, will try and figure out what I did later. |
|
@hpcugentbot please retest this please |
|
Removed the test checking an internal function before the component was initialised - was causing the test failures. |
|
@stdweird could you re-review this when you have a moment? 😇 |
|
I suspect this was originally in place because of CVE-2016-1238 https://rt.perl.org/Public/Bug/Display.html?id=127834 has more details but it's related to . in Can we block any modules being loaded from |
|
@ned21 you want that filtered here? i tought we already did this in the client tools (because otherwise you could load |
|
I thought I remembered that conversation too. So maybe that mitigation means it's now safe to remove from here? Can we confirm where the protection is now implemented and get that documented either inline as a comment or in the commit log? |
Remove hasFile method which artificially restricts the paths which component modules can be loaded from, allowing loading from any valid path in `@INC`. This allows component modules to be placed in a location appropriate for each operating system environment we target. This functionality may originally have been part of a mitigation against CVE-2016-1238, but this was also addressed in 5cfe993 in a far less restrictive way. * Remove usage of hasFile from ComponentProxyList * Declare mod_fn once and only when a value exists
|
@stdweird @ned21 commit message updated with explanation about CVE-2016-1238 |
Remove hasFile method which artificially restricts the paths which component
modules can be loaded from, allowing loading from any valid path in
@INC.This allows component modules to be placed in a location appropriate for each
operating system environments we target.
This change breaks backwards compatability by:
reportComponentsncm-ncd --list/quattor-listso could potentially be being parsed by someone.hasFileentirely.getComponentFilenameentirely.Resolves #116.