Bug #26333 for Config-General: Interpolation bug in Config::General 2.32

According to bugs 14770, 24232, 17641 and 20742 there was a problem with Interpolated.pm line 94. The proposed solution (and subsequently implemented in version 2.32) was to delete line 94 because it was superfluous. It is my belief that the solution is not sufficient. Let me explain. Originally, there was just line 94, e.g. ... elsif ($this->{InterPolateEnv}) { # may lead to vulnerabilities, by default flag turned off $con . $ENV{$var}; } ... But that was problematic because $ENV{$var} might not be defined so in version 2.31 the code was changed to: ... 92: elsif ($this->{InterPolateEnv}) { 93: # may lead to vulnerabilities, by default flag turned off 94: $con . $ENV{$var}; 95: if (defined($ENV{$var})) { 96: $con . $ENV{$var}; 97: } 98: } ... Which is clearly a typo and the problem with "useless use of unitialized value" continued. But in 2.32 the code was changed to: ... elsif ($this->{InterPolateEnv}) { # may lead to vulnerabilities, by default flag turned off if (defined($ENV{$var})) { $con . $ENV{$var}; } } ... Which does indeed get rid of the error message but it causes another problem. What if $ENV{$var} is undefined? Nothing gets returned. But that is incorrect. $con should be returned in the event that $ENV{$var} is undefined. So the correct code is this: ... elsif ($this->{InterPolateEnv}) { # may lead to vulnerabilities, by default flag turned off if (defined($ENV{$var})) { $con . $ENV{$var}; } else { $con } } ... or defined $ENV{$var} ? $con . $ENV{$var} : $con;