On Tue, 7 Dec 2004, Stas Bekman wrote:
> As soon as you see dup like this, think refactoring :) e.g. add
> untaint_path(), that does the work and call it:
>
> local $ENV{PATH}) = untaint_path($ENV{PATH});
>
> Otherwise +1.
>
> And of course this wrapper should probably used in open_cmd too!
Here's a patch that does that:
==================================================================
Index: lib/Apache/TestConfig.pm
===================================================================
--- lib/Apache/TestConfig.pm (revision 111156)
+++ lib/Apache/TestConfig.pm (working copy)
@@ -1045,12 +1045,8 @@
my($self, $cmd) = @_;
# untaint some %ENV fields
local @ENV{ qw(IFS CDPATH ENV BASH_ENV) };
+ local $ENV{PATH} = untaint_path($ENV{PATH});
- # Temporarily untaint PATH
- (local $ENV{PATH}) = ( $ENV{PATH} =~ /(.*)/ );
- # -T disallows relative directories in the PATH
- $ENV{PATH} = join ':', grep !/^\./, split /:/, $ENV{PATH};
-
# launder for -T
$cmd = $1 if $cmd =~ /(.*)/;
@@ -1663,7 +1659,8 @@
return unless $self->{APXS};
my $val;
unless (exists $self->{_apxs}{$q}) {
- local @ENV{ qw(PATH IFS CDPATH ENV BASH_ENV) };
+ local @ENV{ qw(IFS CDPATH ENV BASH_ENV) };
+ local $ENV{PATH} = untaint_path($ENV{PATH});
my $devnull = devnull();
my $apxs = shell_ready($self->{APXS});
$val = qx($apxs -q $q 2>$devnull);
@@ -1684,6 +1681,17 @@
$self->{_apxs}{$q};
}
+# Temporarily untaint PATH
+sub untaint_path {
+ my $path = shift;
+ ($path) = ( $path =~ /(.*)/ );
+ # win32 uses ';' for a path separator, assume others use ':'
+ my $sep = WIN32 ? ';' : ':';
+ # -T disallows relative directories in the PATH
+ $path = join $sep, grep !/^\./, split /$sep/, $path;
+ return $path;
+}
+
sub pop_dir {
my $dir = shift;
==============================================================
I tried committing it, but was denied access (I ensured I
did a co with https); perhaps some permissions need
adjusting (I did have commit access under cvs).
--
best regards,
randy
