From: Sebastian Willert Date: Wed, 18 Oct 2006 20:37:23 +0000 (+0000) Subject: Changed DBIC::Schema->load_classes to be taint-safe even when Module::Find is used... X-Git-Tag: v0.07003~22 X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=83542a7dc6aa41ab9c46572f78f62bc68cc50146;p=dbsrgits%2FDBIx-Class.git Changed DBIC::Schema->load_classes to be taint-safe even when Module::Find is used to fetch the classes to import. Added a testfile for this behavior and any further taint related issues. --- diff --git a/lib/DBIx/Class/Schema.pm b/lib/DBIx/Class/Schema.pm index aaf8e9f..8f8d846 100644 --- a/lib/DBIx/Class/Schema.pm +++ b/lib/DBIx/Class/Schema.pm @@ -269,6 +269,13 @@ sub load_classes { foreach my $prefix (keys %comps_for) { foreach my $comp (@{$comps_for{$prefix}||[]}) { my $comp_class = "${prefix}::${comp}"; + { # try to untaint module name. mods where this fails + # are left alone so we don't have to change the old behavior + no locale; # localized \w doesn't untaint expression + if ( $comp_class =~ m/^( (?:\w+::)* \w+ )$/x ) { + $comp_class = $1; + } + } $class->ensure_class_loaded($comp_class); $comp_class->source_name($comp) unless $comp_class->source_name; diff --git a/t/54taint.t b/t/54taint.t new file mode 100644 index 0000000..8e93b48 --- /dev/null +++ b/t/54taint.t @@ -0,0 +1,33 @@ +#!perl -T + +# the above line forces Test::Harness into taint-mode + +use strict; +use warnings; + +our @plan; + +BEGIN { + eval "require Module::Find;"; + @plan = $@ ? ( skip_all => 'Could not load Module::Find' ) + : ( tests => 2 ); +} + +package DBICTest::Schema; + +# Use the default test class namespace to avoid the need for a +# new test infrastructure. If invalid classes will be introduced to +# 't/lib/DBICTest/Schema/' someday, this has to be reworked. + +use lib qw(t/lib); + +use Test::More @plan; + +use base qw/DBIx::Class::Schema/; + +eval{ __PACKAGE__->load_classes() }; +cmp_ok( $@, 'eq', '', + 'Loading classes with Module::Find worked in taint mode' ); +ok( __PACKAGE__->sources(), 'At least on source has been registered' ); + +1;