* Dave Rolsky <[EMAIL PROTECTED]> [2007-04-15 16:35]: > On Sun, 15 Apr 2007, Ovid wrote: > >Just doing "system('svn', 'info', $uri)" can get you an > >"Insecure $ENV{PATH}" (or something like that) when running in > >taint mode. > > I was going to use File::Which.
What’s the point? File::Which examines the PATH to locate executables, so whether you do my $svn = which( 'svn' ); system( $svn, 'status' ); or system( 'svn', 'status' ); makes no effective difference. I’d attack this directly by cleaning up $ENV{PATH}: use Config; use File::Spec::Functions; use File::stat; use Fcntl qw( :mode ); $ENV{PATH} = do { my $sep = $Config{path_sep}; join $sep, ( map { /(.*)/ } grep { ! stat($_)->mode & S_IWOTH } grep { file_name_is_absolute( $_ ) } split( /\Q$sep/, $ENV{PATH}, -1 ), ); }; This splits the PATH on its platform-specific separators, weeds out relative entries, weeds out world-writable directories, and finally rubberstamps them all as sane, before joining them all back on the platform’s PATH separator. Maybe this deserves to go in some module. It took an arguably unreasonable amount of time to gather and arrange all the cogs, as the train of modules I ended up pulling in illustrates – and that’s not even the full list of modules whose docs and source(!) I referred to. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/>