untaint cwd when constructing full perl file path

[p5sagit/Config-Any.git] / lib / Config / Any / Perl.pm

diff --git a/lib/Config/Any/Perl.pm b/lib/Config/Any/Perl.pm
index 1dd1499..ff27b12 100644 (file)
--- a/lib/Config/Any/Perl.pm
+++ b/lib/Config/Any/Perl.pm
@@ -3,7 +3,9 @@ package Config::Any::Perl;
 use strict;
 use warnings;
 
-my %cache;
+use base 'Config::Any::Base';
+use File::Spec;
+use Cwd ();
 
 =head1 NAME
 
@@ -44,27 +46,29 @@ Attempts to load C<$file> as a Perl file.
 sub load {
     my $class = shift;
     my $file  = shift;
-    my $content;
 
-    unless( $content = $cache{ $file } ) {
-        $content = eval { require $file };
-        $cache{ $file } = $content;
+    my( $exception, $content );
+    {
+        local $@;
+        # previously this would load based on . being in @INC, and wouldn't
+        # trigger taint errors even if '.' probably should have been considered
+        # tainted.  untaint for backwards compatibility.
+        my ($cwd) = Cwd::cwd() =~ /\A(.*)\z/s;
+        $content = do File::Spec->rel2abs($file, $cwd);
+        $exception = $@;
     }
+    die $exception if $exception;
 
     return $content;
 }
 
 =head1 AUTHOR
 
-=over 4 
-
-=item * Brian Cassidy E<lt>bricas@cpan.orgE<gt>
-
-=back
+Brian Cassidy E<lt>bricas@cpan.orgE<gt>
 
 =head1 COPYRIGHT AND LICENSE
 
-Copyright 2006 by Brian Cassidy
+Copyright 2006-2016 by Brian Cassidy
 
 This library is free software; you can redistribute it and/or modify
 it under the same terms as Perl itself.