Subject: | Taint-related make test failure |
(Note: this is actually with 2.054, but there's no such choice in the RT UI at the moment.)
"make test" of Mail-Box-2.054 on a Fedora Core 1 system, perl-5.8.1-92 fails with:
31fgroups/20list......ok 18/119Insecure dependency in eval while running with -T switch at ../lib/Mail/Message/Field/Full.pm line 60, <GEN1> line 1078.
The attached patch works around by untainting the hash key fed to %implementations in Mail/Message/Field/Full.pm. I find it a bit surprising that this is needed though, but it should not hurt.
--- lib/Mail/Message/Field/Full.pm~ 2004-02-07 12:37:13.000000000 +0200
+++ lib/Mail/Message/Field/Full.pm 2004-02-07 12:48:17.000000000 +0200
@@ -54,8 +54,9 @@
if $class ne __PACKAGE__;
# Look for best class to suit this field
+ my ($impl) = (lc($name) =~ /^([a-z-]+)$/); # untaint
my $myclass = 'Mail::Message::Field::'
- . ($implementation{lc $name} || 'Unstructured');
+ . ($implementation{$impl} || 'Unstructured');
eval "require $myclass";
return if $@;