Bug 470442: Only delete tainted environment variables if we're running in taint mode

Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=LpSolit

3 files changed, 9 insertions, 15 deletions

diff --git a/Bugzilla.pm b/Bugzilla.pm
index 354d05148..00740682c 100644
--- a/Bugzilla.pm
+++ b/Bugzilla.pm
@@ -83,11 +83,14 @@ use constant SHUTDOWNHTML_EXIT_SILENTLY => [
 sub init_page {
     (binmode STDOUT, ':utf8') if Bugzilla->params->{'utf8'};
 
-    # Some environment variables are not taint safe
-    delete @::ENV{'PATH', 'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
-    # Some modules throw undefined errors (notably File::Spec::Win32) if
-    # PATH is undefined.
-    $ENV{'PATH'} = '';
+
+    if (${^TAINT}) {
+        # Some environment variables are not taint safe
+        delete @::ENV{'PATH', 'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+        # Some modules throw undefined errors (notably File::Spec::Win32) if
+        # PATH is undefined.
+        $ENV{'PATH'} = '';
+    }
 
     # IIS prints out warnings to the webpage, so ignore them, or log them
     # to a file if the file exists.
diff --git a/checksetup.pl b/checksetup.pl
index 74b21dfda..da368a822 100755
--- a/checksetup.pl
+++ b/checksetup.pl
@@ -95,10 +95,7 @@ exit if $switch{'check-modules'};
 # then instead of our nice normal checksetup message, the user would
 # get a cryptic perl error about the missing module.
 
-# We need $::ENV{'PATH'} to remain defined.
-my $env = $::ENV{'PATH'};
 require Bugzilla;
-$::ENV{'PATH'} = $env;
 
 require Bugzilla::Config;
 import Bugzilla::Config qw(:admin);
diff --git a/testserver.pl b/testserver.pl
index 9b649277c..d3cab1dc5 100755
--- a/testserver.pl
+++ b/testserver.pl
@@ -21,13 +21,7 @@
 use strict;
 use lib qw(. lib);
 
-BEGIN {
-    my $envpath = $ENV{'PATH'};
-    require Bugzilla;
-    # $ENV{'PATH'} is required by the 'ps' command to run correctly.
-    $ENV{'PATH'} = $envpath;
-}
-
+use Bugzilla;
 use Bugzilla::Constants;
 
 use Socket;