All the Perl that's Practical to Extract and Report

Text::Template::Simple 0.61 is released

Burak on 2008-10-03T20:00:32

You can get if from CPAN :)

Actually, I've released 0.60 after several development versions. But immediately faced the infamous World-writable Files thingy. While I still don't think this is some serious security breach (compared to allowing arbitrary Makefile.PLs and Build.PLs entering your system), PAUSE indexer warned me (thanks to Andreas Koenig's recent change) about world-writable "directories" inside my tarball. Sice I was not using some 3rd party tar command and using Module::Build as the toolkit, I thought that this thing will not affect my distro. But I was wrong.

I didn't dig this much and both Archive::Tar (which handles archiving) and Module::Build lacked any info regarding this. So, after some quick investigation, as a quick fix, I've modified Module::Build::Base and changed this line in line 3704: 

   Archive::Tar->create_archive("$file.tar.gz", 1, @$files);
into this (removed adding directories to tar) 
   Archive::Tar->create_archive("$file.tar.gz", 1, grep { !-d $_ } @$files);
which seemed to solve my problem. I even opened a bug in the Module::Build RT Queue. I hope they'll apply this or find a better way to fix the tarball issue. And as I said in the RT BUG: I'm surprised that no one in the email thread seem to use this trio as their environment: Windows + Module::Build + Archive::Tar :p

Anyway, lets return to the subject. I've released a new version of Text::Template::Simple and it is kind of a milestone release including these new stuff:

  • Dynamic Includes (a.k.a processed includes)
  • Interpolation in includes
  • Chomping (global & per directive)
  • Template name access through $0
  • Explicit types to compile()
Chomping is similar to what TT has and maybe more. The biggest and tricky part was the dynamic includes and interpolation in includes. I've implemented that stuff several times before reaching it's current status (actually same thing happened with chomping). Includes currently miss stuff like parameter passing and applying filters, but I'll add these features eventually. At the moment it is possible to use things like: 
<% my $file = "t/data/interpolate_data"; %>
<%* $file . ".tts" %> # dynamic
<%+ $file . ".tts" %> # static
or without interpolation: 
<%* t/data/interpolate_data.tts %> # dynamic
<%+ t/data/interpolate_data.tts %> # static
And chomping: 
Test
   <%=- $foo -%>
123
Template name access: 
   I am <%= $0 %>
See the documentation for more information.

I like TT's features and even have to use it @ $work, but I need a non-mini-language thing. And CPAN is filled with re-invented wheels right? :)

talking about security breaches...

LaPerla on 2008-10-05T09:16:32

The reason why world writable directories are a security breach is this: if the target system is a multiuser system, then any user gets write access to a disk area that was never intended to be usable for anybody but the owner. Just see this as opening an otherwise protected disk area to a third party. By allowing a third party to usurp a directory you open a system for all sorts of breaches including the removal and addition of files.

So letting directories be world writable must be a conscious decision of a user, not something that you let him create accidentally, and we as the community must protect him from falling into such traps.

Thanks for your findings on the Archive::Tar directory issue!