From 570ca770d29d7800f79d6789c2b1142e383a348a Mon Sep 17 00:00:00 2001 From: "mkanat%bugzilla.org" <> Date: Mon, 22 Dec 2008 15:50:50 +0000 Subject: Bug 470442: Only delete tainted environment variables if we're running in taint mode Patch By Max Kanat-Alexander r=LpSolit, a=LpSolit --- Bugzilla.pm | 13 ++++++++----- checksetup.pl | 3 --- testserver.pl | 8 +------- 3 files changed, 9 insertions(+), 15 deletions(-) diff --git a/Bugzilla.pm b/Bugzilla.pm index 354d05148..00740682c 100644 --- a/Bugzilla.pm +++ b/Bugzilla.pm @@ -83,11 +83,14 @@ use constant SHUTDOWNHTML_EXIT_SILENTLY => [ sub init_page { (binmode STDOUT, ':utf8') if Bugzilla->params->{'utf8'}; - # Some environment variables are not taint safe - delete @::ENV{'PATH', 'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; - # Some modules throw undefined errors (notably File::Spec::Win32) if - # PATH is undefined. - $ENV{'PATH'} = ''; + + if (${^TAINT}) { + # Some environment variables are not taint safe + delete @::ENV{'PATH', 'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; + # Some modules throw undefined errors (notably File::Spec::Win32) if + # PATH is undefined. + $ENV{'PATH'} = ''; + } # IIS prints out warnings to the webpage, so ignore them, or log them # to a file if the file exists. diff --git a/checksetup.pl b/checksetup.pl index 74b21dfda..da368a822 100755 --- a/checksetup.pl +++ b/checksetup.pl @@ -95,10 +95,7 @@ exit if $switch{'check-modules'}; # then instead of our nice normal checksetup message, the user would # get a cryptic perl error about the missing module. -# We need $::ENV{'PATH'} to remain defined. -my $env = $::ENV{'PATH'}; require Bugzilla; -$::ENV{'PATH'} = $env; require Bugzilla::Config; import Bugzilla::Config qw(:admin); diff --git a/testserver.pl b/testserver.pl index 9b649277c..d3cab1dc5 100755 --- a/testserver.pl +++ b/testserver.pl @@ -21,13 +21,7 @@ use strict; use lib qw(. lib); -BEGIN { - my $envpath = $ENV{'PATH'}; - require Bugzilla; - # $ENV{'PATH'} is required by the 'ps' command to run correctly. - $ENV{'PATH'} = $envpath; -} - +use Bugzilla; use Bugzilla::Constants; use Socket; -- cgit v1.2.3-24-g4f1b