4 my %Expect_File = (); # what we expect for $_
5 my %Expect_Name = (); # what we expect for $File::Find::name/fullname
6 my %Expect_Dir = (); # what we expect for $File::Find::dir
7 my ($cwd, $cwd_untainted);
12 unshift @INC => '../lib';
19 for (keys %ENV) { # untaint ENV
20 ($ENV{$_}) = $ENV{$_} =~ /(.*)/;
24 # Remove insecure directories from PATH
26 my $sep = $Config{path_sep};
27 foreach my $dir (split(/\Q$sep/,$ENV{'PATH'}))
30 ## Match the directory taint tests in mg.c::Perl_magic_setenv()
32 push(@path,$dir) unless (length($dir) >= 256
34 substr($dir,0,1) ne "/"
36 (stat $dir)[2] & 002);
38 $ENV{'PATH'} = join($sep,@path);
41 use Test::More tests => 45;
43 my $symlink_exists = eval { symlink("",""); 1 };
52 find({wanted => sub { $found = 1 if ($_ eq 'commonsense.t') },
53 untaint => 1, untaint_pattern => qr|^(.+)$|}, File::Spec->curdir);
55 ok($found, 'commonsense.t found');
58 finddepth({wanted => sub { $found = 1 if $_ eq 'commonsense.t'; },
59 untaint => 1, untaint_pattern => qr|^(.+)$|}, File::Spec->curdir);
61 ok($found, 'commonsense.t found again');
64 my $FastFileTests_OK = 0;
67 if (-d dir_path('for_find')) {
68 chdir(dir_path('for_find'));
70 if (-d dir_path('fa')) {
71 unlink file_path('fa', 'fa_ord'),
72 file_path('fa', 'fsl'),
73 file_path('fa', 'faa', 'faa_ord'),
74 file_path('fa', 'fab', 'fab_ord'),
75 file_path('fa', 'fab', 'faba', 'faba_ord'),
76 file_path('fb', 'fb_ord'),
77 file_path('fb', 'fba', 'fba_ord');
78 rmdir dir_path('fa', 'faa');
79 rmdir dir_path('fa', 'fab', 'faba');
80 rmdir dir_path('fa', 'fab');
82 rmdir dir_path('fb', 'fba');
84 chdir File::Spec->updir;
85 rmdir dir_path('for_find');
94 ok( open(my $T,'>',$_[0]), "Opened $_[0] successfully" );
98 ok( mkdir($_[0],$_[1]), "Created directory $_[0] successfully" );
101 sub wanted_File_Dir {
102 print "# \$File::Find::dir => '$File::Find::dir'\n";
103 print "# \$_ => '$_'\n";
104 s#\.$## if ($^O eq 'VMS' && $_ ne '.');
105 ok( $Expect_File{$_}, "Expected and found $File::Find::name" );
106 if ( $FastFileTests_OK ) {
107 delete $Expect_File{ $_}
108 unless ( $Expect_Dir{$_} && ! -d _ );
110 delete $Expect_File{$_}
111 unless ( $Expect_Dir{$_} && ! -d $_ );
115 sub wanted_File_Dir_prune {
117 $File::Find::prune=1 if $_ eq 'faba';
121 print "# \$File::Find::dir => '$File::Find::dir'\n";
122 print "# \$_ => '$_'\n";
126 # Use dir_path() to specify a directory path that's expected for
127 # $File::Find::dir (%Expect_Dir). Also use it in file operations like
130 # dir_path() concatenates directory names to form a *relative*
131 # directory path, independent from the platform it's run on, although
132 # there are limitations. Don't try to create an absolute path,
133 # because that may fail on operating systems that have the concept of
134 # volume names (e.g. Mac OS). As a special case, you can pass it a "."
135 # as first argument, to create a directory path like "./fa/dir" on
136 # operating systems other than Mac OS (actually, Mac OS will ignore
137 # the ".", if it's the first argument). If there's no second argument,
138 # this function will return the empty string on Mac OS and the string
142 my $first_arg = shift @_;
144 if ($first_arg eq '.') {
145 if ($^O eq 'MacOS') {
147 # ignore first argument; return a relative path
148 # with leading ":" and with trailing ":"
149 return File::Spec->catdir(@_);
151 return './' unless @_;
152 my $path = File::Spec->catdir(@_);
158 } else { # $first_arg ne '.'
159 return $first_arg unless @_; # return plain filename
160 return File::Spec->catdir($first_arg, @_); # relative path
165 # Use topdir() to specify a directory path that you want to pass to
166 # find/finddepth. Basically, topdir() does the same as dir_path() (see
167 # above), except that there's no trailing ":" on Mac OS.
170 my $path = dir_path(@_);
171 $path =~ s/:$// if ($^O eq 'MacOS');
176 # Use file_path() to specify a file path that's expected for $_
177 # (%Expect_File). Also suitable for file operations like unlink etc.
179 # file_path() concatenates directory names (if any) and a filename to
180 # form a *relative* file path (the last argument is assumed to be a
181 # file). It's independent from the platform it's run on, although
182 # there are limitations. As a special case, you can pass it a "." as
183 # first argument, to create a file path like "./fa/file" on operating
184 # systems other than Mac OS (actually, Mac OS will ignore the ".", if
185 # it's the first argument). If there's no second argument, this
186 # function will return the empty string on Mac OS and the string "./"
190 my $first_arg = shift @_;
192 if ($first_arg eq '.') {
193 if ($^O eq 'MacOS') {
195 # ignore first argument; return a relative path
196 # with leading ":", but without trailing ":"
197 return File::Spec->catfile(@_);
199 return './' unless @_;
200 my $path = File::Spec->catfile(@_);
206 } else { # $first_arg ne '.'
207 return $first_arg unless @_; # return plain filename
208 return File::Spec->catfile($first_arg, @_); # relative path
213 # Use file_path_name() to specify a file path that's expected for
214 # $File::Find::Name (%Expect_Name). Note: When the no_chdir => 1
215 # option is in effect, $_ is the same as $File::Find::Name. In that
216 # case, also use this function to specify a file path that's expected
219 # Basically, file_path_name() does the same as file_path() (see
220 # above), except that there's always a leading ":" on Mac OS, even for
221 # plain file/directory names.
224 my $path = file_path(@_);
225 $path = ":$path" if (($^O eq 'MacOS') && ($path !~ /:/));
230 MkDir( dir_path('for_find'), 0770 );
231 ok( chdir( dir_path('for_find')), 'successful chdir() to for_find' );
233 $cwd = cwd(); # save cwd
234 ( $cwd_untainted ) = $cwd =~ m|^(.+)$|; # untaint it
236 MkDir( dir_path('fa'), 0770 );
237 MkDir( dir_path('fb'), 0770 );
238 touch( file_path('fb', 'fb_ord') );
239 MkDir( dir_path('fb', 'fba'), 0770 );
240 touch( file_path('fb', 'fba', 'fba_ord') );
242 skip "Creating symlink", 1, unless $symlink_exists;
243 if ($^O eq 'MacOS') {
244 ok( symlink(':fb',':fa:fsl'), 'Created symbolic link' );
246 ok( symlink('../fb','fa/fsl'), 'Created symbolic link' );
249 touch( file_path('fa', 'fa_ord') );
251 MkDir( dir_path('fa', 'faa'), 0770 );
252 touch( file_path('fa', 'faa', 'faa_ord') );
253 MkDir( dir_path('fa', 'fab'), 0770 );
254 touch( file_path('fa', 'fab', 'fab_ord') );
255 MkDir( dir_path('fa', 'fab', 'faba'), 0770 );
256 touch( file_path('fa', 'fab', 'faba', 'faba_ord') );
258 print "# check untainting (no follow)\n";
260 # untainting here should work correctly
262 %Expect_File = (File::Spec->curdir => 1, file_path('fsl') =>
263 1,file_path('fa_ord') => 1, file_path('fab') => 1,
264 file_path('fab_ord') => 1, file_path('faba') => 1,
265 file_path('faa') => 1, file_path('faa_ord') => 1);
266 delete $Expect_File{ file_path('fsl') } unless $symlink_exists;
269 %Expect_Dir = ( dir_path('fa') => 1, dir_path('faa') => 1,
270 dir_path('fab') => 1, dir_path('faba') => 1,
271 dir_path('fb') => 1, dir_path('fba') => 1);
273 delete @Expect_Dir{ dir_path('fb'), dir_path('fba') } unless $symlink_exists;
275 File::Find::find( {wanted => \&wanted_File_Dir_prune, untaint => 1,
276 untaint_pattern => qr|^(.+)$|}, topdir('fa') );
278 is(scalar keys %Expect_File, 0, 'Found all expected files');
281 # don't untaint at all, should die
286 eval {File::Find::find( {wanted => \&simple_wanted}, topdir('fa') );};
287 like( $@, qr|Insecure dependency|, 'Tainted directory causes death (good)' );
288 chdir($cwd_untainted);
291 # untaint pattern doesn't match, should die
294 eval {File::Find::find( {wanted => \&simple_wanted, untaint => 1,
295 untaint_pattern => qr|^(NO_MATCH)$|},
298 like( $@, qr|is still tainted|, 'Bad untaint pattern causes death (good)' );
299 chdir($cwd_untainted);
302 # untaint pattern doesn't match, should die when we chdir to cwd
303 print "# check untaint_skip (No follow)\n";
306 eval {File::Find::find( {wanted => \&simple_wanted, untaint => 1,
307 untaint_skip => 1, untaint_pattern =>
308 qr|^(NO_MATCH)$|}, topdir('fa') );};
312 like( $@, qr|insecure cwd|, 'Bad untaint pattern causes death in cwd (good)' );
314 chdir($cwd_untainted);
318 skip "Symbolic link tests", 17, unless $symlink_exists;
319 print "# --- symbolic link tests --- \n";
320 $FastFileTests_OK= 1;
322 print "# check untainting (follow)\n";
324 # untainting here should work correctly
325 # no_chdir is in effect, hence we use file_path_name to specify the expected paths for %Expect_File
327 %Expect_File = (file_path_name('fa') => 1,
328 file_path_name('fa','fa_ord') => 1,
329 file_path_name('fa', 'fsl') => 1,
330 file_path_name('fa', 'fsl', 'fb_ord') => 1,
331 file_path_name('fa', 'fsl', 'fba') => 1,
332 file_path_name('fa', 'fsl', 'fba', 'fba_ord') => 1,
333 file_path_name('fa', 'fab') => 1,
334 file_path_name('fa', 'fab', 'fab_ord') => 1,
335 file_path_name('fa', 'fab', 'faba') => 1,
336 file_path_name('fa', 'fab', 'faba', 'faba_ord') => 1,
337 file_path_name('fa', 'faa') => 1,
338 file_path_name('fa', 'faa', 'faa_ord') => 1);
342 %Expect_Dir = (dir_path('fa') => 1,
343 dir_path('fa', 'faa') => 1,
344 dir_path('fa', 'fab') => 1,
345 dir_path('fa', 'fab', 'faba') => 1,
347 dir_path('fb', 'fba') => 1);
349 File::Find::find( {wanted => \&wanted_File_Dir, follow_fast => 1,
350 no_chdir => 1, untaint => 1, untaint_pattern =>
351 qr|^(.+)$| }, topdir('fa') );
353 is( scalar(keys %Expect_File), 0, 'Found all files in symlink test' );
356 # don't untaint at all, should die
359 eval {File::Find::find( {wanted => \&simple_wanted, follow => 1},
362 like( $@, qr|Insecure dependency|, 'Not untainting causes death (good)' );
363 chdir($cwd_untainted);
365 # untaint pattern doesn't match, should die
368 eval {File::Find::find( {wanted => \&simple_wanted, follow => 1,
369 untaint => 1, untaint_pattern =>
370 qr|^(NO_MATCH)$|}, topdir('fa') );};
372 like( $@, qr|is still tainted|, 'Bat untaint pattern causes death (good)' );
373 chdir($cwd_untainted);
375 # untaint pattern doesn't match, should die when we chdir to cwd
376 print "# check untaint_skip (Follow)\n";
379 eval {File::Find::find( {wanted => \&simple_wanted, untaint => 1,
380 untaint_skip => 1, untaint_pattern =>
381 qr|^(NO_MATCH)$|}, topdir('fa') );};
382 like( $@, qr|insecure cwd|, 'Cwd not untainted with bad pattern (good)' );
384 chdir($cwd_untainted);