Security: parse_version eval

[rurban]

get_version is dangerous code

Beware of the security issues for cpan testers or unchecked sources, as
the '$VERSION = ...' line in a .pm file is simply evaluated, without
any sanity check.

Allowed can only a $ver_qr with /^v? [\d_\.]+/ and /qv\($ver_qr\)/,
but for sure not any sub call or ; or eval

We cannot use Safe as it needs to run with miniperl, but at least a security sanity check is required.

[Leont]

Yes, this is known. There is no way to do this safely and correctly (people do crazy stuff in their versions), one has to choose :-/

[rurban]

The worst I've found with http://grep.cpan.me/?q=%5C%24VERSION+%3D+%5Cw
are

Encode-InCharset-0.03/InCharset.pm:
our $VERSION = do { my @r = (q$Revision: 0.3 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r };

Compress/Raw/Bzip2.pm:
$VERSION = '0.0_01';
$XS_VERSION = $VERSION; 
$VERSION = eval $VERSION;

• The eval idiom can be detected in the XS _ case, and be left out. There's no need to eval a VERSION which was already defined. If someone needs the numeric only part in EUMM, strip out the _ manually.

• id expansion is not a thing anymore, but some still do it. $Revision: 0.3 parsing can be easily added.

• $VERSION = Other->version not needed for EUMM.

• our $VERSION = version->declare('v0.29.0');
  needs to be changed to $VERSION = v0.29.0; which is not backcompat. qv() neither.
  but these are not used in a VERSION_FROM file, or in packages >5.10.

All others should safely die.

[karenetheridge]

We're working towards having Module::Metadata extract and evaluate the version in a Safe compartment, and it is the hope that EUMM's version extraction will be replaced with a call to Module::Metadata.

[karenetheridge]

our $VERSION = '0.0_01';
$VERSION = eval $VERSION;

This is an important construct and should not be removed. The single line containing the $VERSION definition is detected and extracted by Module::Metadata, and should contain the underscore. Performing an eval on a separate line ensures that $VERSION in running code is numeric and does not contain an underscore.

our $VERSION = version->declare('v0.29.0');

I believe this was the recommended way to declare a v-string version, but others are more qualified to comment here.

see also http://www.dagolden.com/index.php/369/version-numbers-should-be-boring/

[Leont]

I believe this was the recommended way to declare a v-string version, but others are more qualified to comment here.

You can't assume that version.pm will be loaded as it won't be by default on 5.8 and older, so one needs to load version.pm first (on the same line).

[rurban]

Safe will not work with EUMM, as EUMM is used in core with miniperl, and miniperl cannot load Safe.

[haarg]

The version formats we need to support for perl core are much more limited though. We could have a simple static parsing routine as fallback, and use Module::Metadata (or a similar routine) when Safe is available.

[Leont]

The version formats we need to support for perl core are much more limited though. We could have a simple static parsing routine as fallback, and use Module::Metadata (or a similar routine) when Safe is available.

That is an excellent observation :-)

[haarg]

Here's an untested attempt at static parsing: dd23ba5. It still falls back to eval if it can't parse statically.