From: Graham Knop Date: Mon, 27 Feb 2017 10:01:24 +0000 (+0100) Subject: untaint cwd when constructing full perl file path X-Git-Tag: v0.29~5 X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=273db69d2f04dc29880dab6e45d59e25c3c3f1b3;p=p5sagit%2FConfig-Any.git untaint cwd when constructing full perl file path Previously, we would load perl files using a possibly relative path, which would work based on . being in @INC. Now that . is being removed, we need to use an absolute path (or ./ relative path). When absolutizing, cwd would be used, which can be tained. Although loading based on . in @INC violates the spirit of taint, it had previously worked and a downstream module expected it. Untaint the cwd that gets used so we can load relative paths under taint mode. --- diff --git a/lib/Config/Any/Perl.pm b/lib/Config/Any/Perl.pm index 2bddfa1..ff27b12 100644 --- a/lib/Config/Any/Perl.pm +++ b/lib/Config/Any/Perl.pm @@ -5,6 +5,7 @@ use warnings; use base 'Config::Any::Base'; use File::Spec; +use Cwd (); =head1 NAME @@ -49,7 +50,11 @@ sub load { my( $exception, $content ); { local $@; - $content = do File::Spec->rel2abs($file); + # previously this would load based on . being in @INC, and wouldn't + # trigger taint errors even if '.' probably should have been considered + # tainted. untaint for backwards compatibility. + my ($cwd) = Cwd::cwd() =~ /\A(.*)\z/s; + $content = do File::Spec->rel2abs($file, $cwd); $exception = $@; } die $exception if $exception; diff --git a/t/perl-taint.t b/t/perl-taint.t new file mode 100644 index 0000000..abf644f --- /dev/null +++ b/t/perl-taint.t @@ -0,0 +1,6 @@ +#!perl -T +use strict; +use warnings; + +do './t/53-perl.t' + or die ($@ || $!);