From: Peter Rabbitson Date: Tue, 3 Mar 2009 09:44:52 +0000 (+0000) Subject: Extend untainting of findallmod() to load_namespaces as well as load_classes X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=f340505818aff7213d79ca814c73381832e14185;p=dbsrgits%2FDBIx-Class-Historic.git Extend untainting of findallmod() to load_namespaces as well as load_classes --- diff --git a/lib/DBIx/Class/Schema.pm b/lib/DBIx/Class/Schema.pm index 1c75a50..b6ab5f4 100644 --- a/lib/DBIx/Class/Schema.pm +++ b/lib/DBIx/Class/Schema.pm @@ -157,6 +157,21 @@ sub _expand_relative_name { return $name; } +# Finds all modules in the supplied namespace, or if omitted in the +# namespace of $class. Untaints all findings as they can be assumed +# to be safe +sub _findallmod { + my $proto = shift; + my $ns = shift || ref $proto || $proto; + + my @mods = Module::Find::findallmod($ns); + + # try to untaint module names. mods where this fails + # are left alone so we don't have to change the old behavior + no locale; # localized \w doesn't untaint expression + return map { $_ =~ m/^( (?:\w+::)* \w+ )$/x ? $1 : $_ } @mods; +} + # returns a hash of $shortname => $fullname for every package # found in the given namespaces ($shortname is with the $fullname's # namespace stripped off) @@ -168,7 +183,7 @@ sub _map_namespaces { push( @results_hash, map { (substr($_, length "${namespace}::"), $_) } - Module::Find::findallmod($namespace) + $class->_findallmod($namespace) ); } @@ -314,7 +329,7 @@ sub load_classes { } } else { my @comp = map { substr $_, length "${class}::" } - Module::Find::findallmod($class); + $class->_findallmod; $comps_for{$class} = \@comp; } @@ -325,13 +340,6 @@ sub load_classes { foreach my $prefix (keys %comps_for) { foreach my $comp (@{$comps_for{$prefix}||[]}) { my $comp_class = "${prefix}::${comp}"; - { # try to untaint module name. mods where this fails - # are left alone so we don't have to change the old behavior - no locale; # localized \w doesn't untaint expression - if ( $comp_class =~ m/^( (?:\w+::)* \w+ )$/x ) { - $comp_class = $1; - } - } $class->ensure_class_loaded($comp_class); my $snsub = $comp_class->can('source_name'); diff --git a/t/54taint.t b/t/54taint.t index f54ed93..c3df11f 100644 --- a/t/54taint.t +++ b/t/54taint.t @@ -6,17 +6,7 @@ use strict; use warnings; use Test::More; - -BEGIN { - eval "require Module::Find;"; - if ($@) { - plan skip_all => 'Could not load Module::Find'; - exit; - } - else { - plan tests => 7; - } -} +BEGIN { plan tests => 7 } package DBICTest::Taint::Classes; @@ -52,5 +42,4 @@ lives_ok (sub { ok( __PACKAGE__->source('Test'), 'The Namespaces::Test source has been registered' ); }, 'Loading classes with Module::Find/load_namespaces worked in taint mode' ); - 1;