detaint version, if needed (RT#88576, Chris Williams)

diff --git a/Changes b/Changes
index 0807f83..581acac 100644 (file)
--- a/Changes
+++ b/Changes
@@ -1,5 +1,7 @@
 Release history for Module-Metadata
 
+  - detaint version, if needed (RT#88576, Chris Williams)
+
 1.000016   2013-08-21
   - Re-release to fix prereqs and other metadata
 

diff --git a/lib/Module/Metadata.pm b/lib/Module/Metadata.pm
index e8d6856..969d67c 100644 (file)
--- a/lib/Module/Metadata.pm
+++ b/lib/Module/Metadata.pm
@@ -663,6 +663,8 @@ sub _evaluate_version_line {
       };
   }};
 
+  $eval = $1 if $eval =~ m{^(.+)}s;
+
   local $^W;
   # Try to get the $VERSION
   eval $eval;

diff --git a/t/taint.t b/t/taint.t
new file mode 100644 (file)
index 0000000..8ca1346
--- /dev/null
+++ b/t/taint.t
@@ -0,0 +1,20 @@
+#!/usr/bin/perl -T
+use strict;
+use warnings;
+
+use 5.008000;   # for ${^TAINT}
+use Module::Metadata;
+use Test::More;
+use Test::Fatal;
+
+ok(${^TAINT}, 'taint flag is set');
+
+# without the fix, we get:
+# Insecure dependency in eval while running with -T switch at lib/Module/Metadata.pm line 668, <GEN0> line 15.
+is(
+    exception { Module::Metadata->new_from_module( "Module::Metadata" )->version },
+    undef,
+    'no exception',
+);
+
+done_testing;