On Tue, 7 Dec 2004, Stas Bekman wrote: > As soon as you see dup like this, think refactoring :) e.g. add > untaint_path(), that does the work and call it: > > local $ENV{PATH}) = untaint_path($ENV{PATH}); > > Otherwise +1. > > And of course this wrapper should probably used in open_cmd too!
Here's a patch that does that: ================================================================== Index: lib/Apache/TestConfig.pm =================================================================== --- lib/Apache/TestConfig.pm (revision 111156) +++ lib/Apache/TestConfig.pm (working copy) @@ -1045,12 +1045,8 @@ my($self, $cmd) = @_; # untaint some %ENV fields local @ENV{ qw(IFS CDPATH ENV BASH_ENV) }; + local $ENV{PATH} = untaint_path($ENV{PATH}); - # Temporarily untaint PATH - (local $ENV{PATH}) = ( $ENV{PATH} =~ /(.*)/ ); - # -T disallows relative directories in the PATH - $ENV{PATH} = join ':', grep !/^\./, split /:/, $ENV{PATH}; - # launder for -T $cmd = $1 if $cmd =~ /(.*)/; @@ -1663,7 +1659,8 @@ return unless $self->{APXS}; my $val; unless (exists $self->{_apxs}{$q}) { - local @ENV{ qw(PATH IFS CDPATH ENV BASH_ENV) }; + local @ENV{ qw(IFS CDPATH ENV BASH_ENV) }; + local $ENV{PATH} = untaint_path($ENV{PATH}); my $devnull = devnull(); my $apxs = shell_ready($self->{APXS}); $val = qx($apxs -q $q 2>$devnull); @@ -1684,6 +1681,17 @@ $self->{_apxs}{$q}; } +# Temporarily untaint PATH +sub untaint_path { + my $path = shift; + ($path) = ( $path =~ /(.*)/ ); + # win32 uses ';' for a path separator, assume others use ':' + my $sep = WIN32 ? ';' : ':'; + # -T disallows relative directories in the PATH + $path = join $sep, grep !/^\./, split /$sep/, $path; + return $path; +} + sub pop_dir { my $dir = shift; ============================================================== I tried committing it, but was denied access (I ensured I did a co with https); perhaps some permissions need adjusting (I did have commit access under cvs). -- best regards, randy