Bug #67119 for MIME-tools: Unwarranted laundering of tainted mime_attr and mime_type

MIME-tools version 5.502 as well as 5.420 are taint-laundering MIME attributes and MIME type (and possibly other data). I believe this is unintentional and unwarranted, circumventing the taint security concept/intention. Example: $ perl -MMIME::Parser -MScalar::Util -Te ' $h=MIME::Parser->new->parse(\*STDIN)->head; $ht=$h->mime_type; $hn=$h->mime_attr("content-type.name"); printf("%d, %s\n", Scalar::Util::tainted($ht),$ht); printf("%d, %s\n", Scalar::Util::tainted($hn),$hn)' Content-Type: $path; name=$shell ^Z 0, $path 0, $shell (should be a '1' instead of a '0' in the result) Attached is a patch to fix the problem. There are two things needed for a solution: avoiding implicit untainting by regexp captures unless explicitly required, and a workaround for a [perl #87336] bug: http://rt.perl.org/rt3/Ticket/Display.html?id=87336 I find it most convenient to have: use re 'taint'; in all modules, and override it only locally in a block where necessary, e.g.: { no re 'taint'; # allow untainting /...($1).../; $result = $1; } Btw, my meticulous localizing of $1, $2, ... is due to a [perl #67962] bug: http://rt.perl.org/rt3/Public/Bug/Display.html?id=67962 fixed in 5.13, but doesn't hurt anywhere as a matter of good practice. Mark