Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New metric: check that .pm in lib/ are not executable #20

Open
dolmen opened this issue Feb 25, 2015 · 3 comments
Open

New metric: check that .pm in lib/ are not executable #20

dolmen opened this issue Feb 25, 2015 · 3 comments

Comments

@dolmen
Copy link
Member

dolmen commented Feb 25, 2015

Check the file permissions in the tarball and report if a .pm in lib/ or any .pod has the execution bit set.

Examples:

  • App-Nopaste 1.003
  • Spreadsheet::ParseExcel 0.65
@charsbar
Copy link

Is there any good and realistic reason for this, especially considering that files archived under Windows typically have executable bits?

@dolmen
Copy link
Member Author

dolmen commented Feb 26, 2015

I do not see any good reason for .pm files having the executable bit set once they are installed on Unix(-like) platforms. Apparently the install tool (EUMM in both examples) just copies this bit from the original file.
I've not yet found if running a .pm could be exploited to bypass some security restrictions, but that does not mean that doesn't exist.

After thinking a bit more about it this is more a SiteKwalitee metric. I have no idea how this issue is spread on the CPAN and a metric would help to discover.

@dolmen
Copy link
Member Author

dolmen commented Feb 26, 2015

@dolmen TODO: explore .pm files starting with a sheebang.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@charsbar @dolmen