From: Karen Etheridge Date: Wed, 11 Sep 2013 00:33:08 +0000 (-0700) Subject: detaint version, if needed (RT#88576, Chris Williams) X-Git-Tag: v1.000017~2 X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Ftopic%2Ftaint;p=p5sagit%2FModule-Metadata.git detaint version, if needed (RT#88576, Chris Williams) --- diff --git a/Changes b/Changes index 0807f83..581acac 100644 --- a/Changes +++ b/Changes @@ -1,5 +1,7 @@ Release history for Module-Metadata + - detaint version, if needed (RT#88576, Chris Williams) + 1.000016 2013-08-21 - Re-release to fix prereqs and other metadata diff --git a/lib/Module/Metadata.pm b/lib/Module/Metadata.pm index e8d6856..969d67c 100644 --- a/lib/Module/Metadata.pm +++ b/lib/Module/Metadata.pm @@ -663,6 +663,8 @@ sub _evaluate_version_line { }; }}; + $eval = $1 if $eval =~ m{^(.+)}s; + local $^W; # Try to get the $VERSION eval $eval; diff --git a/t/taint.t b/t/taint.t new file mode 100644 index 0000000..8ca1346 --- /dev/null +++ b/t/taint.t @@ -0,0 +1,20 @@ +#!/usr/bin/perl -T +use strict; +use warnings; + +use 5.008000; # for ${^TAINT} +use Module::Metadata; +use Test::More; +use Test::Fatal; + +ok(${^TAINT}, 'taint flag is set'); + +# without the fix, we get: +# Insecure dependency in eval while running with -T switch at lib/Module/Metadata.pm line 668, line 15. +is( + exception { Module::Metadata->new_from_module( "Module::Metadata" )->version }, + undef, + 'no exception', +); + +done_testing;