# HG changeset patch # User Vladimir Marek # Date 1481636037 -3600 # Node ID faf888b8f422ec6498bbae227faf0a11eaf5144d # Parent ffcde471ae1029905946e03e33dfe2660b51a3b6 PSARC 2017/051 Perl - remove current path ('.') from @INC 24404149 problem in UTILITY/PERL diff -r ffcde471ae10 -r faf888b8f422 components/perl/perl-common/Makefile --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/perl/perl-common/Makefile Tue Dec 13 14:33:57 2016 +0100 @@ -0,0 +1,47 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. +# + +# This package is holding /etc/perl/sitecustomize.pl script which is used by +# all perl variants we ship. Every perl must have enabled -Dusesitecustomize +# option and must be patched so that it looks for this script in /etc/perl. +# +# The sitecustomize.pl script is a temporary measure to remove '.' from @INC +# (see CVE-2016-1238). It is planned that perl 5.26 will remove '.' from @INC +# and our sitecustomize.pl will not be needed anymore. + +include ../../../make-rules/shared-macros.mk + +COMPONENT_NAME= perl-common +COMPONENT_VERSION= 1 +COMPONENT_SRC= +COMPONENT_PROJECT_URL= http://www.perl.org/ +COMPONENT_BUGDB= utility/perl + +include $(WS_MAKE_RULES)/prep.mk +include $(WS_MAKE_RULES)/ips.mk + +# nothing to download or build; just publish the package +build install test system-test: + diff -r ffcde471ae10 -r faf888b8f422 components/perl/perl-common/license --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/perl/perl-common/license Tue Dec 13 14:33:57 2016 +0100 @@ -0,0 +1,1 @@ +Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. diff -r ffcde471ae10 -r faf888b8f422 components/perl/perl-common/perl.p5m --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/perl/perl-common/perl.p5m Tue Dec 13 14:33:57 2016 +0100 @@ -0,0 +1,35 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. +# + +set name=pkg.fmri \ + value=pkg:/runtime/perl-common@$(COMPONENT_VERSION),$(BUILD_VERSION) +set name=pkg.summary value=Perl +set name=pkg.description value="Common package for every perl" +set name=info.classification \ + value=org.opensolaris.category.2008:Development/Perl +set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) +set name=org.opensolaris.arc-caseid value=PSARC/2017/051 +set name=org.opensolaris.consolidation value=$(CONSOLIDATION) +file sitecustomize.pl path=etc/perl/sitecustomize.pl owner=root group=sys \ + mode=0644 overlay=allow preserve=renamenew +license license license=Oracle diff -r ffcde471ae10 -r faf888b8f422 components/perl/perl-common/sitecustomize.pl --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/perl/perl-common/sitecustomize.pl Tue Dec 13 14:33:57 2016 +0100 @@ -0,0 +1,4 @@ +# Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + +# Remove current path from @INC. Environment PERL_USE_UNSAFE_INC is override +pop @INC if $INC[-1] eq '.' and !$ENV{PERL_USE_UNSAFE_INC}; diff -r ffcde471ae10 -r faf888b8f422 components/perl/perl522/Makefile --- a/components/perl/perl522/Makefile Tue Mar 28 13:52:39 2017 -0700 +++ b/components/perl/perl522/Makefile Tue Dec 13 14:33:57 2016 +0100 @@ -94,6 +94,7 @@ -Duse64bitall \ -Dusethreads \ -Dlibpth="/lib/64 /usr/lib/64" \ + -Dusesitecustomize \ -Doptimize="$(CFLAGS.studio)" # diff -r ffcde471ae10 -r faf888b8f422 components/perl/perl522/patches/sitecustomize.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/perl/perl522/patches/sitecustomize.patch Tue Dec 13 14:33:57 2016 +0100 @@ -0,0 +1,140 @@ +Compilation of modified debian patches against perl. Not suitable for sending to upstream. + +https://anonscm.debian.org/cgit/perl/perl.git/commit/?id=5f866b6b20ebe3fd691b16951d24c3d6ff1f0cc2 + +Debian uses this sitecustomize.pl as a transition mechanism for removing the +current working directory (".") from @INC by default while leaving the local +administrator a temporary means of re-adding it back. This mechanism is +expected to be removed after one Debian stable release. + +https://anonscm.debian.org/cgit/perl/perl.git/commit/?id=2568fbda3ecc0fb3927734f80acb8ca67f8a1b18 + +This change allows the majority of Perl modules that cannot build/test/install +without . in INC to be able to do so, while maintaining a safer perl under +normal use. + +https://anonscm.debian.org/cgit/perl/perl.git/commit/?id=61c30d9b24c0b4e7f5ebccd9852f426beefe39cd + +This change allows the majority of Perl modules to build/test/install from the +cpan client without having to modify them. + +https://anonscm.debian.org/cgit/perl/perl.git/commit/?id=2f664e07a5c050b0afce16e185356162e3cff149 + +The intention is that sitecustomize.pl can be changed to remove '.' from @INC, +and this might become the default in future, so ensure that this doesn't cause +a build failure of perl. (This fixes perl test suite awaiting '.' in @iNC) + +--- perl-5.22.1/perl.c 2017-03-16 11:05:37.268288076 +0100 ++++ perl-5.22.1/perl.c 2017-03-16 11:05:04.472864804 +0100 +@@ -2109,7 +2109,8 @@ S_parse_body(pTHX_ char **env, XSINIT_t + } + # else + /* SITELIB_EXP is a function call on Win32. */ +- const char *const raw_sitelib = SITELIB_EXP; ++ /* temporary transition mechanism for dropping "." from @INC */ ++ const char *const raw_sitelib = "/etc/perl"; + if (raw_sitelib) { + /* process .../.. if PERL_RELOCATABLE_INC is defined */ + SV *sitelib_sv = mayberelocate(raw_sitelib, strlen(raw_sitelib), +--- perl-5.22.1/pod/perlrun.pod 2017-03-16 11:07:56.237694759 +0100 ++++ perl-5.22.1/pod/perlrun.pod 2017-03-16 11:07:30.936961423 +0100 +@@ -491,6 +491,11 @@ blocks will be likewise executed very la + To determine at runtime if this capability has been compiled in your + perl, you can check the value of C<$Config{usesitecustomize}>. + ++Note: on Solaris the system perl currently uses C ++rather than C<$Config{sitelib}/sitecustomize.pl>. This may change in the future ++and is only provided as a temporary transition mechanism for removing the ++current working directory from C<@INC>. ++ + =item B<-F>I + X<-F> + +--- perl-5.22.1/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MakeMaker.pm 2017-03-16 11:12:18.966578744 +0100 ++++ perl-5.22.1/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MakeMaker.pm 2017-03-16 11:12:01.064073018 +0100 +@@ -5,6 +5,11 @@ use strict; + + BEGIN {require 5.006;} + ++# Assure anything called from Makefile.PL is allowed to have . in @INC. ++BEGIN { ++ $ENV{PERL_USE_UNSAFE_INC} = 1; ++} ++ + require Exporter; + use ExtUtils::MakeMaker::Config; + use ExtUtils::MakeMaker::version; # ensure we always have our fake version.pm +--- perl-5.22.1/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_Unix.pm 2017-03-16 11:13:25.721894552 +0100 ++++ perl-5.22.1/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_Unix.pm 2017-03-16 11:13:08.607861893 +0100 +@@ -3553,7 +3553,7 @@ PERL_DL_NONLAZY set for tests. + + sub test_via_harness { + my($self, $perl, $tests) = @_; +- return $self->SUPER::test_via_harness("PERL_DL_NONLAZY=1 $perl", $tests); ++ return $self->SUPER::test_via_harness("PERL_DL_NONLAZY=1 PERL_USE_UNSAFE_INC=1 $perl", $tests); + } + + =item test_via_script (override) +@@ -3564,7 +3564,7 @@ Again, the PERL_DL_NONLAZY thing. + + sub test_via_script { + my($self, $perl, $script) = @_; +- return $self->SUPER::test_via_script("PERL_DL_NONLAZY=1 $perl", $script); ++ return $self->SUPER::test_via_script("PERL_DL_NONLAZY=1 PERL_USE_UNSAFE_INC=1 $perl", $script); + } + + +--- perl-5.22.1/cpan/CPAN/scripts/cpan 2017-03-16 11:14:50.098675540 +0100 ++++ perl-5.22.1/cpan/CPAN/scripts/cpan 2017-03-16 11:14:34.150806982 +0100 +@@ -3,6 +3,11 @@ + use strict; + use vars qw($VERSION); + ++BEGIN { ++ # make sure we can install any modules from CPAN without patching them ++ $ENV{PERL_USE_UNSAFE_INC} = 1; ++} ++ + use App::Cpan '1.60_02'; + $VERSION = '1.61'; + +--- perl-5.22.1/t/run/runenv.t 2017-03-16 11:16:49.688662889 +0100 ++++ perl-5.22.1/t/run/runenv.t 2017-03-16 11:16:30.967051321 +0100 +@@ -12,7 +12,7 @@ BEGIN { + skip_all_without_config('d_fork'); + } + +-plan tests => 104; ++plan tests => 103; + + my $STDOUT = tempfile(); + my $STDERR = tempfile(); +@@ -285,8 +285,6 @@ is ($err, '', 'No errors when determinin + + my @default_inc = split /\n/, $out; + +-is ($default_inc[-1], '.', '. is last in @INC'); +- + my $sep = $Config{path_sep}; + foreach (['nothing', ''], + ['something', 'zwapp', 'zwapp'], +--- perl-5.22.1/t/porting/customized.dat 2017-03-16 12:12:50.949655917 +0100 ++++ perl-5.22.1/t/porting/customized.dat 2017-03-16 12:12:24.087578329 +0100 +@@ -2,7 +2,7 @@ CPAN cpan/CPAN/lib/CPAN.pm ce62c43d72f10 + ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/Command/MM.pm 7f4dfd0fe884bd42412bcf04ca80ef97b39c1d54 + ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/Liblist.pm bef099988b15fb0b2a1f5ac48c01af1f7f36d329 + ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/Liblist/Kid.pm 8168e18f0e3ce3ece4bb7e7c72d57ec07c67c402 +-ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/MakeMaker.pm 7115e97a53559cb3ec061dd6f7f344e522724c4a ++ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/MakeMaker.pm 6b691ba4edbb9832201ab21570d34ae4304e4613 + ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/MakeMaker/Config.pm f8db8d4245bf0684b8210c811f50d7cfb1a27d78 + ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/MakeMaker/FAQ.pod 757bffb47857521311f8f3bde43ebe165f8d5191 + ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/MakeMaker/Locale.pm 82be06851deb84c6419ad003ce9b6d1957f395f3 +@@ -23,7 +23,7 @@ ExtUtils::MakeMaker cpan/ExtUtils-MakeMa + ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_NW5.pm 433135eecb85b4b1d90d3027432f329436c78447 + ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_OS2.pm 1fbb5605bfb47feee4083feba8aa85e659628f70 + ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_QNX.pm 5b66d1f485a6034d96fc24ba1665b1bad9e447f1 +-ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_Unix.pm 8cef99a9bd370ecfd07ddb0efbdcbb4101255e45 ++ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_Unix.pm fc2509f5d10e1046dd55b0dff0cafd19cb28157b + ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_UWIN.pm 939572fde3d59ba77c2e677fe2df2bed4bed5898 + ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_VMS.pm 09c2049bfd25b735e2a5bcf56a6cff7b4827f9c8 + ExtUtils::MakeMaker cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_VOS.pm d65d63f8217a55c36f62e249814988974f593c79 diff -r ffcde471ae10 -r faf888b8f422 components/perl/perl522/perl-522.p5m --- a/components/perl/perl522/perl-522.p5m Tue Mar 28 13:52:39 2017 -0700 +++ b/components/perl/perl522/perl-522.p5m Tue Dec 13 14:33:57 2016 +0100 @@ -20,10 +20,11 @@ # # -# Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved. # default mangler.man.stability uncommitted> +# set name=pkg.fmri \ value=pkg:/runtime/perl-522@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) set name=pkg.summary value=Perl @@ -2295,3 +2296,4 @@ dir path=usr/perl5/site_perl/$(PERL_VERSION)/$(P_ARCH)-solaris-thread-multi-64 # license perl.license license=Artistic +depend type=require fmri=runtime/perl-common diff -r ffcde471ae10 -r faf888b8f422 components/perl512/Makefile --- a/components/perl512/Makefile Tue Mar 28 13:52:39 2017 -0700 +++ b/components/perl512/Makefile Tue Dec 13 14:33:57 2016 +0100 @@ -97,6 +97,7 @@ -Dcf_by="perl-bugs" \ -Dmyhostname="localhost" \ -Dmksymlinks \ + -Dusesitecustomize \ -O \ -de diff -r ffcde471ae10 -r faf888b8f422 components/perl512/patches/sitecustomize.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/perl512/patches/sitecustomize.patch Tue Dec 13 14:33:57 2016 +0100 @@ -0,0 +1,108 @@ +Compilation of modified debian patches against perl. Not suitable for sending to upstream. + +https://anonscm.debian.org/cgit/perl/perl.git/commit/?id=5f866b6b20ebe3fd691b16951d24c3d6ff1f0cc2 + +Debian uses this sitecustomize.pl as a transition mechanism for removing the +current working directory (".") from @INC by default while leaving the local +administrator a temporary means of re-adding it back. This mechanism is +expected to be removed after one Debian stable release. + +https://anonscm.debian.org/cgit/perl/perl.git/commit/?id=2568fbda3ecc0fb3927734f80acb8ca67f8a1b18 + +This change allows the majority of Perl modules that cannot build/test/install +without . in INC to be able to do so, while maintaining a safer perl under +normal use. + +https://anonscm.debian.org/cgit/perl/perl.git/commit/?id=61c30d9b24c0b4e7f5ebccd9852f426beefe39cd + +This change allows the majority of Perl modules to build/test/install from the +cpan client without having to modify them. + +https://anonscm.debian.org/cgit/perl/perl.git/commit/?id=2f664e07a5c050b0afce16e185356162e3cff149 + +The intention is that sitecustomize.pl can be changed to remove '.' from @INC, +and this might become the default in future, so ensure that this doesn't cause +a build failure of perl. (This fixes perl test suite awaiting '.' in @iNC) + +--- perl-5.12.5/pod/perlrun.pod 2017-03-16 13:02:06.455341528 +0100 ++++ perl-5.12.5/pod/perlrun.pod 2017-03-16 13:01:42.332009730 +0100 +@@ -474,6 +474,11 @@ blocks will be likewise executed very la + To determine at runtime if this capability has been compiled in your + perl, you can check the value of C<$Config{usesitecustomize}>. + ++Note: on Solaris the system perl currently uses C ++rather than C<$Config{sitelib}/sitecustomize.pl>. This may change in the future ++and is only provided as a temporary transition mechanism for removing the ++current working directory from C<@INC>. ++ + =item B<-F>I + X<-F> + +--- perl-5.12.5/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MakeMaker.pm 2017-03-16 13:02:55.230456796 +0100 ++++ perl-5.12.5/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MakeMaker.pm 2017-03-16 13:02:44.212235386 +0100 +@@ -5,6 +5,11 @@ use strict; + + BEGIN {require 5.006;} + ++# Assure anything called from Makefile.PL is allowed to have . in @INC. ++BEGIN { ++ $ENV{PERL_USE_UNSAFE_INC} = 1; ++} ++ + require Exporter; + use ExtUtils::MakeMaker::Config; + use Carp (); +--- perl-5.12.5/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_Unix.pm 2017-03-16 13:03:57.275174925 +0100 ++++ perl-5.12.5/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_Unix.pm 2017-03-16 13:03:45.547386666 +0100 +@@ -3426,7 +3426,7 @@ PERL_DL_NONLAZY set for tests. + + sub test_via_harness { + my($self, $perl, $tests) = @_; +- return $self->SUPER::test_via_harness("PERL_DL_NONLAZY=1 $perl", $tests); ++ return $self->SUPER::test_via_harness("PERL_DL_NONLAZY=1 PERL_USE_UNSAFE_INC=1 $perl", $tests); + } + + =item test_via_script (override) +@@ -3437,7 +3437,7 @@ Again, the PERL_DL_NONLAZY thing. + + sub test_via_script { + my($self, $perl, $script) = @_; +- return $self->SUPER::test_via_script("PERL_DL_NONLAZY=1 $perl", $script); ++ return $self->SUPER::test_via_script("PERL_DL_NONLAZY=1 PERL_USE_UNSAFE_INC=1 $perl", $script); + } + + +--- perl-5.12.5/cpan/CPAN/scripts/cpan 2017-03-16 13:04:38.401778664 +0100 ++++ perl-5.12.5/cpan/CPAN/scripts/cpan 2017-03-16 13:04:22.625978404 +0100 +@@ -2,6 +2,11 @@ + use strict; + use vars qw($VERSION); + ++BEGIN { ++ # make sure we can install any modules from CPAN without patching them ++ $ENV{PERL_USE_UNSAFE_INC} = 1; ++} ++ + use App::Cpan; + $VERSION = '1.57'; + +--- perl-5.12.5/perl.c 2017-03-16 13:09:18.742227128 +0100 ++++ perl-5.12.5/perl.c 2017-03-16 13:09:01.197391811 +0100 +@@ -1965,7 +1965,7 @@ S_parse_body(pTHX_ char **env, XSINIT_t + const char *const sitelib = SITELIB_EXP; + (void)Perl_av_create_and_unshift_one(aTHX_ &PL_preambleav, + Perl_newSVpvf(aTHX_ +- "BEGIN { do {local $!; -f '%s/sitecustomize.pl'} && do '%s/sitecustomize.pl' }", sitelib, sitelib)); ++ "BEGIN { do {local $!; -f '%s/sitecustomize.pl'} && do '%s/sitecustomize.pl' }", "/etc/perl", "/etc/perl")); + } + #endif + +@@ -2821,7 +2821,7 @@ S_usage(pTHX_ const char *name) /* XXX + "-D[number/list] set debugging flags (argument is a bit mask or alphabets)", + "-e program one line of program (several -e's allowed, omit programfile)", + "-E program like -e, but enables all optional features", +-"-f don't do $sitelib/sitecustomize.pl at startup", ++"-f don't do /etc/perl/sitecustomize.pl at startup", + "-F/pattern/ split() pattern for -a switch (//'s are optional)", + "-i[extension] edit <> files in place (makes backup if extension supplied)", + "-Idirectory specify @INC/#include directory (several -I's allowed)", diff -r ffcde471ae10 -r faf888b8f422 components/perl512/perl-512.p5m --- a/components/perl512/perl-512.p5m Tue Mar 28 13:52:39 2017 -0700 +++ b/components/perl512/perl-512.p5m Tue Dec 13 14:33:57 2016 +0100 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved. # default mangler.man.stability obsolete> @@ -2908,3 +2908,4 @@ link path=usr/perl5/pod target=$(PERL_VERSION)/lib/pod mediator=perl \ mediator-version=$(PERL_VERSION) license perl.license license=Artistic +depend type=require fmri=runtime/perl-common diff -r ffcde471ae10 -r faf888b8f422 components/perl512/perl-512thread.p5m --- a/components/perl512/perl-512thread.p5m Tue Mar 28 13:52:39 2017 -0700 +++ b/components/perl512/perl-512thread.p5m Tue Dec 13 14:33:57 2016 +0100 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved. # set name=pkg.fmri \ @@ -471,3 +471,4 @@ # This is additional support to base perl 5.12 depend type=require fmri=runtime/perl-512 +depend type=require fmri=runtime/perl-common