| Subject: | Doesn't work in taint mode |
This module doesn't work under taint mode, because it tries to 'require'
modules whose names are tainted strings. These values come from
File::Find, which always gives tainted filenames. Under other
circumstances this tainting might make sense, but if a program is
"use"ing this module then the intention to load files from certain
directories is clear.
I think the _find_packages() function should untaint the filenames
before returning them. It might make sense to have some checking for
crazy characters in filenames, but we don't want it to break on
different platforms. I've attached a patch which allows all filenames,
which is better than not working at all.
thanks,
geoff
| Subject: | untaint.patch |
--- Fast.pm.orig 2006-02-16 13:18:59.000000000 +0000
+++ Fast.pm 2006-02-16 13:22:38.000000000 +0000
@@ -112,6 +112,8 @@
my $wanted = sub {
my $path = $File::Find::name;
return unless $path =~ /\w+\.pm$/;
+ return unless $path =~ /\A(.+)\z/;
+ $path = $1; # untaint
# don't include symbolig links pointing into nowhere
# (e.g. emacs lock-files)