From: Jarkko Hietaniemi <jhi@iki.fi>
Date: Tue, 16 Apr 2002 13:36:30 +0000 (+0000)
Subject: Stas' tainting worries, obscured by me.
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=926cbafe59ef28067493b902ada7a0be81a77e57;p=p5sagit%2Fp5-mst-13.2.git

Stas' tainting worries, obscured by me.

p4raw-id: //depot/perl@15950
---

diff --git a/ext/Cwd/t/cwd.t b/ext/Cwd/t/cwd.t
index 919cfb1..83b6f7f 100644
--- a/ext/Cwd/t/cwd.t
+++ b/ext/Cwd/t/cwd.t
@@ -1,4 +1,4 @@
-#!./perl
+#!./perl -T
 
 BEGIN {
     chdir 't' if -d 't';
@@ -41,7 +41,10 @@ print "# native pwd = '$pwd_cmd'\n";
 SKIP: {
     skip "No native pwd command found to test against", 4 unless $pwd_cmd;
 
-    chomp(my $start = `$pwd_cmd`);
+    local @ENV{qw(PATH IFS CDPATH ENV BASH_ENV)};
+    my ($pwd_cmd_untainted) = $pwd_cmd =~ /^(.+)$/; # Untaint.
+    chomp(my $start = `$pwd_cmd_untainted`);
+
     # Win32's cd returns native C:\ style
     $start =~ s,\\,/,g if ($^O eq 'MSWin32' || $^O eq "NetWare");
     # DCL SHOW DEFAULT has leading spaces
diff --git a/lib/Cwd.pm b/lib/Cwd.pm
index 6f3cb7c..d85d1ea 100644
--- a/lib/Cwd.pm
+++ b/lib/Cwd.pm
@@ -407,9 +407,16 @@ sub fast_abs_path {
     my $cwd = getcwd();
     require File::Spec;
     my $path = @_ ? shift : File::Spec->curdir;
-    CORE::chdir($path) || croak "Cannot chdir to $path:$!";
+    CORE::chdir($path) || croak "Cannot chdir to $path: $!";
     my $realpath = getcwd();
-    CORE::chdir($cwd)  || croak "Cannot chdir back to $cwd:$!";
+    # I cannot think of an untainting regular expression 
+    # that wouldn't also (a) be unportable (b) disqualify valid pathnames
+    # so just untainting all of it here and relying on -d and CORE::chdir
+    # to verify the validity.
+    # --jhi
+    my ($cwd_untainted) = ($cwd =~ /^(.+)$/);
+    -d $cwd_untainted && CORE::chdir($cwd_untainted) ||
+	croak "Cannot chdir back to $cwd: $!";
     $realpath;
 }