Changed DBIC::Schema->load_classes to be taint-safe even when Module::Find is used...

Added a testfile for this behavior and any further taint related issues.

diff --git a/lib/DBIx/Class/Schema.pm b/lib/DBIx/Class/Schema.pm
index aaf8e9f..8f8d846 100644 (file)
--- a/lib/DBIx/Class/Schema.pm
+++ b/lib/DBIx/Class/Schema.pm
@@ -269,6 +269,13 @@ sub load_classes {
     foreach my $prefix (keys %comps_for) {
       foreach my $comp (@{$comps_for{$prefix}||[]}) {
         my $comp_class = "${prefix}::${comp}";
+        { # try to untaint module name. mods where this fails
+          # are left alone so we don't have to change the old behavior
+          no locale; # localized \w doesn't untaint expression
+          if ( $comp_class =~ m/^( (?:\w+::)* \w+ )$/x ) {
+            $comp_class = $1;
+          }
+        }
         $class->ensure_class_loaded($comp_class);
         $comp_class->source_name($comp) unless $comp_class->source_name;
 

diff --git a/t/54taint.t b/t/54taint.t
new file mode 100644 (file)
index 0000000..8e93b48
--- /dev/null
+++ b/t/54taint.t
@@ -0,0 +1,33 @@
+#!perl -T
+
+# the above line forces Test::Harness into taint-mode
+
+use strict;
+use warnings;
+
+our @plan;
+
+BEGIN {
+  eval "require Module::Find;";
+  @plan = $@ ? ( skip_all => 'Could not load Module::Find' )
+    : ( tests => 2 );
+}
+
+package DBICTest::Schema;
+
+# Use the default test class namespace to avoid the need for a
+# new test infrastructure. If invalid classes will be introduced to
+# 't/lib/DBICTest/Schema/' someday, this has to be reworked.
+
+use lib qw(t/lib);
+
+use Test::More @plan;
+
+use base qw/DBIx::Class::Schema/;
+
+eval{ __PACKAGE__->load_classes() };
+cmp_ok( $@, 'eq', '',
+        'Loading classes with Module::Find worked in taint mode' );
+ok( __PACKAGE__->sources(), 'At least on source has been registered' );
+
+1;