| Subject: | Fix parse_version so it works under taint. |
--- lib/ExtUtils/MM_Unix.pm.orig 2004-03-23 12:06:37.153572807 -0800
+++ lib/ExtUtils/MM_Unix.pm 2004-03-23 17:27:25.849684620 -0800
@@ -3092,6 +3092,8 @@
next if $inpod || /^\s*#/;
chop;
next unless /(?<!\\)([\$*])(([\w\:\']*)\bVERSION)\b.*\=/;
+ # untaint
+ { local($1, $2); ($_ = $_) = /(.*)/; }
my $eval = qq{
package ExtUtils::MakeMaker::_version;
no strict;
AFAIK, p5p was hesitant to accept it. The story is that MM's parse_version
does not run under -T. And that patch fixes it, blindly untainting the line
it evals, assuming that if it's safe to require the file and then check the
version, it's just as safe to untaint it. But then Ken showed a
hypothethical example of what could go wrong...