diff options
-rw-r--r-- | Bugzilla/Install/Util.pm | 7 | ||||
-rw-r--r-- | Bugzilla/Util.pm | 17 |
2 files changed, 3 insertions, 21 deletions
diff --git a/Bugzilla/Install/Util.pm b/Bugzilla/Install/Util.pm index 9cec8c435..250ab9157 100644 --- a/Bugzilla/Install/Util.pm +++ b/Bugzilla/Install/Util.pm @@ -31,6 +31,7 @@ use Bugzilla::Constants; use File::Basename; use POSIX qw(setlocale LC_CTYPE); use Safe; +use Scalar::Util qw(tainted); use base qw(Exporter); our @EXPORT_OK = qw( @@ -109,7 +110,7 @@ sub install_string { foreach my $key (@replace_keys) { my $replacement = $vars->{$key}; die "'$key' in '$string_id' is tainted: '$replacement'" - if is_tainted($replacement); + if tainted($replacement); # We don't want people to start getting clever and inserting # ##variable## into their values. So we check if any other # key is listed in the *replacement* string, before doing @@ -354,10 +355,6 @@ sub trick_taint { return (defined($_[0])); } -sub is_tainted { - return not eval { my $foo = join('',@_), kill 0; 1; }; -} - __END__ =head1 NAME diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 8666b18ff..991bfedc1 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -31,7 +31,7 @@ package Bugzilla::Util; use strict; use base qw(Exporter); -@Bugzilla::Util::EXPORT = qw(is_tainted trick_taint detaint_natural +@Bugzilla::Util::EXPORT = qw(trick_taint detaint_natural detaint_signed html_quote url_quote xml_quote css_class_quote html_light_quote url_decode @@ -56,16 +56,6 @@ use Digest; use Scalar::Util qw(tainted); use Text::Wrap; -# This is from the perlsec page, slightly modified to remove a warning -# From that page: -# This function makes use of the fact that the presence of -# tainted data anywhere within an expression renders the -# entire expression tainted. -# Don't ask me how it works... -sub is_tainted { - return not eval { my $foo = join('',@_), kill 0; 1; }; -} - sub trick_taint { require Carp; Carp::confess("Undef to trick_taint") unless defined $_[0]; @@ -640,7 +630,6 @@ Bugzilla::Util - Generic utility functions for bugzilla use Bugzilla::Util; # Functions for dealing with variable tainting - $rv = is_tainted($var); trick_taint($var); detaint_natural($var); detaint_signed($var); @@ -704,10 +693,6 @@ with care> to avoid security holes. =over 4 -=item C<is_tainted> - -Determines whether a particular variable is tainted - =item C<trick_taint($val)> Tricks perl into untainting a particular variable. |