remove relative directories from $ENV{PATH} (for taint mode)

Otherwise, the module will die when you use it with PATH=$PATH:. (as is the case on the OpenBSD cpan testers).
2012-07-11 08:58:59 +02:00 · 2012-07-11 08:58:59 +02:00 · b4058790cc
parent af6f180c35
commit b4058790cc
1 changed files with 17 additions and 3 deletions
--- a/lib/AnyEvent/I3.pm
+++ b/lib/AnyEvent/I3.pm
@ -8,6 +8,7 @@ use AnyEvent::Handle;
 use AnyEvent::Socket;
 use AnyEvent;
 use Encode;
+use Scalar::Util qw(tainted);

 =head1 NAME

@ -107,12 +108,25 @@ sub new {
    my ($class, $path) = @_;

    if (!$path) {
+        my $path_tainted = tainted($ENV{PATH});
        # This effectively circumvents taint mode checking for $ENV{PATH}. We
        # do this because users might specify PATH explicitly to call i3 in a
        # custom location (think ~/.bin/).
-        my $paths = $ENV{PATH};
-        if ($paths =~ /^(.*)$/) {
-            $ENV{PATH} = $1;
+        (local $ENV{PATH}) = ($ENV{PATH} =~ /(.*)/);
+
+        # In taint mode, we also need to remove all relative directories from
+        # PATH (like . or ../bin). We only do this in taint mode and warn the
+        # user, since this might break a real-world use case for some people.
+        if ($path_tainted) {
+            my @dirs = split /:/, $ENV{PATH};
+            my @filtered = grep !/^\./, @dirs;
+            if (scalar @dirs != scalar @filtered) {
+                $ENV{PATH} = join ':', @filtered;
+                warn qq|Removed relative directories from PATH because you | .
+                     qq|are running Perl with taint mode enabled. Remove -T | .
+                     qq|to be able to use relative directories in PATH. | .
+                     qq|New PATH is "$ENV{PATH}"|;
+            }
        }
        # Otherwise the qx() operator wont work:
        delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};