| Subject: | POE_TRACE_* and tainted mode |
Hello,
I ran into this while implementing a POE-based application:
Setting a POE_TRACE variable is incompatible with programs using tainted mode. To
reproduce::
$ cat poe.pl
#!/usr/bin/perl -T
use POE;
$ perl -T poe.pl
(OK)
$ POE_TRACE_EVENTS=1 perl -T poe.pl
*
* POE can't use POE::Loop::Select:
* Insecure dependency in require while running with -T switch at
/usr/share/perl5/POE/Loop/Select.pm line 6.
BEGIN failed--compilation aborted at /usr/share/perl5/POE/Loop/Select.pm line 6.
Compilation failed in require at (eval 7) line 2.
Proposed patch:
*** Kernel.pm 2012-11-29 13:10:13.501586003 -0800
--- Kernel.pm.new 2012-11-29 13:22:54.765586002 -0800
***************
*** 355,360 ****
--- 355,363 ----
# Copy so we don't hurt our environment.
my $value = $val;
+ # Untaint
+ $value =~ /^([-\@\w.]+)$/;
+ $value = $1;
$value =~ tr['"][]d;
$value = 0 + $value if $value =~ /^\s*-?\d+(?:\.\d+)?\s*$/;