[Bps-public-commit] GnuPG-Interface branch, tainted-path, created. 0.52-59-gca6f454
? sunnavy
sunnavy at bestpractical.com
Fri Jan 15 18:45:51 EST 2021
The branch, tainted-path has been created
at ca6f4540b48df84c2a16f9bbbd5ca4723abc8bfe (commit)
- Log -----------------------------------------------------------------
commit ca6f4540b48df84c2a16f9bbbd5ca4723abc8bfe
Author: sunnavy <sunnavy at bestpractical.com>
Date: Sat Jan 16 07:20:45 2021 +0800
Localize tainted PATH env to make exec happy
In taint mode, even if the full path of gpg command was supplied, exec
would still error out:
Insecure $ENV{PATH} while running with -T switch
This commit fixes this issue.
On the other hand, if gpg is not full path, it will never work in taint
mode.
diff --git a/Makefile.PL b/Makefile.PL
index 7066a69..2181b51 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -23,6 +23,7 @@ requires 'MooX::HandlesVia' => '0.001004';
requires 'MooX::late' => '0.014';
requires 'Math::BigInt' => '1.78';
requires 'Fatal';
+requires 'Scalar::Util';
license 'perl';
diff --git a/lib/GnuPG/Interface.pm b/lib/GnuPG/Interface.pm
index c265443..884bce4 100644
--- a/lib/GnuPG/Interface.pm
+++ b/lib/GnuPG/Interface.pm
@@ -27,6 +27,7 @@ use IO::Handle;
use Math::BigInt try => 'GMP';
use GnuPG::Options;
use GnuPG::Handles;
+use Scalar::Util 'tainted';
$VERSION = '1.00';
@@ -343,6 +344,7 @@ sub fork_attach_exec( $% ) {
@commands, @command_args
);
+ local $ENV{PATH} if tainted $ENV{PATH};
exec @command or die "exec() error: $ERRNO";
}
-----------------------------------------------------------------------
More information about the Bps-public-commit
mailing list