Author: stas Date: Tue Dec 7 21:52:19 2004 New Revision: 111218 URL: http://svn.apache.org/viewcvs?view=rev&rev=111218 Log: properly untaint path on win32 (different separator: ';') move the untaint code into its own wrapper: untaint_path() contributed by: Randy Kobes
Modified: httpd/test/trunk/perl-framework/Apache-Test/lib/Apache/TestConfig.pm Modified: httpd/test/trunk/perl-framework/Apache-Test/lib/Apache/TestConfig.pm Url: http://svn.apache.org/viewcvs/httpd/test/trunk/perl-framework/Apache-Test/lib/Apache/TestConfig.pm?view=diff&rev=111218&p1=httpd/test/trunk/perl-framework/Apache-Test/lib/Apache/TestConfig.pm&r1=111217&p2=httpd/test/trunk/perl-framework/Apache-Test/lib/Apache/TestConfig.pm&r2=111218 ============================================================================== --- httpd/test/trunk/perl-framework/Apache-Test/lib/Apache/TestConfig.pm (original) +++ httpd/test/trunk/perl-framework/Apache-Test/lib/Apache/TestConfig.pm Tue Dec 7 21:52:19 2004 @@ -1045,11 +1045,7 @@ my($self, $cmd) = @_; # untaint some %ENV fields local @ENV{ qw(IFS CDPATH ENV BASH_ENV) }; - - # Temporarily untaint PATH - (local $ENV{PATH}) = ( $ENV{PATH} =~ /(.*)/ ); - # -T disallows relative directories in the PATH - $ENV{PATH} = join ':', grep !/^\./, split /:/, $ENV{PATH}; + local $ENV{PATH} = untaint_path($ENV{PATH}); # launder for -T $cmd = $1 if $cmd =~ /(.*)/; @@ -1663,7 +1659,8 @@ return unless $self->{APXS}; my $val; unless (exists $self->{_apxs}{$q}) { - local @ENV{ qw(PATH IFS CDPATH ENV BASH_ENV) }; + local @ENV{ qw(IFS CDPATH ENV BASH_ENV) }; + local $ENV{PATH} = untaint_path($ENV{PATH}); my $devnull = devnull(); my $apxs = shell_ready($self->{APXS}); $val = qx($apxs -q $q 2>$devnull); @@ -1682,6 +1679,17 @@ } } $self->{_apxs}{$q}; +} + +# Temporarily untaint PATH +sub untaint_path { + my $path = shift; + ($path) = ( $path =~ /(.*)/ ); + # win32 uses ';' for a path separator, assume others use ':' + my $sep = WIN32 ? ';' : ':'; + # -T disallows relative directories in the PATH + $path = join $sep, grep !/^\./, split /$sep/, $path; + return $path; } sub pop_dir {