untaint cwd when constructing full perl file path

[p5sagit/Config-Any.git] / lib / Config / Any / Perl.pm

diff --git a/lib/Config/Any/Perl.pm b/lib/Config/Any/Perl.pm
index fee9e4d..ff27b12 100644 (file)
--- a/lib/Config/Any/Perl.pm
+++ b/lib/Config/Any/Perl.pm
@@ -4,8 +4,8 @@ use strict;
 use warnings;
 
 use base 'Config::Any::Base';
-
-my %cache;
+use File::Spec;
+use Cwd ();
 
 =head1 NAME
 
@@ -46,12 +46,18 @@ Attempts to load C<$file> as a Perl file.
 sub load {
     my $class = shift;
     my $file  = shift;
-    my $content;
 
-    unless ( $content = $cache{ $file } ) {
-        $content = require $file;
-        $cache{ $file } = $content;
+    my( $exception, $content );
+    {
+        local $@;
+        # previously this would load based on . being in @INC, and wouldn't
+        # trigger taint errors even if '.' probably should have been considered
+        # tainted.  untaint for backwards compatibility.
+        my ($cwd) = Cwd::cwd() =~ /\A(.*)\z/s;
+        $content = do File::Spec->rel2abs($file, $cwd);
+        $exception = $@;
     }
+    die $exception if $exception;
 
     return $content;
 }
@@ -62,7 +68,7 @@ Brian Cassidy E<lt>bricas@cpan.orgE<gt>
 
 =head1 COPYRIGHT AND LICENSE
 
-Copyright 2006-2009 by Brian Cassidy
+Copyright 2006-2016 by Brian Cassidy
 
 This library is free software; you can redistribute it and/or modify
 it under the same terms as Perl itself.