Bug 470442: Only delete tainted environment variables if we're running in taint mode

Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=LpSolit

Bug 470442: Only delete tainted environment variables if we're running in taint mode
570ca770 · mkanat%bugzilla.org · 70b73512 · 570ca770 · 570ca770 · 570ca770
Commit 570ca770 authored Dec 22, 2008 by mkanat%bugzilla.org
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 10 deletions

Bugzilla.pm Bugzilla.pm +3 -0

checksetup.pl checksetup.pl +0 -3

testserver.pl testserver.pl +1 -7

No files found.
--- a/Bugzilla.pm
+++ b/Bugzilla.pm
@@ -83,11 +83,14 @@ use constant SHUTDOWNHTML_EXIT_SILENTLY => [
 sub init_page {
    (binmode STDOUT, ':utf8') if Bugzilla->params->{'utf8'};
+    if (${^TAINT}) {
        # Some environment variables are not taint safe
        delete @::ENV{'PATH', 'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
        # Some modules throw undefined errors (notably File::Spec::Win32) if
        # PATH is undefined.
        $ENV{'PATH'} = '';
+    }
    # IIS prints out warnings to the webpage, so ignore them, or log them
    # to a file if the file exists.

--- a/checksetup.pl
+++ b/checksetup.pl
@@ -95,10 +95,7 @@ exit if $switch{'check-modules'};
 # then instead of our nice normal checksetup message, the user would
 # get a cryptic perl error about the missing module.
-# We need $::ENV{'PATH'} to remain defined.
-my $env = $::ENV{'PATH'};
 require Bugzilla;
-$::ENV{'PATH'} = $env;
 require Bugzilla::Config;
 import Bugzilla::Config qw(:admin);

--- a/testserver.pl
+++ b/testserver.pl
@@ -21,13 +21,7 @@
 use strict;
 use lib qw(. lib);
-BEGIN {
+use Bugzilla;
-    my $envpath = $ENV{'PATH'};
-    require Bugzilla;
-    # $ENV{'PATH'} is required by the 'ps' command to run correctly.
-    $ENV{'PATH'} = $envpath;
-}
 use Bugzilla::Constants;
 use Socket;