1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
use strict;
use warnings;
use Config;
# there is talk of possible perl compilations where -T is fatal or just
# doesn't work. We don't want to have the user deal with that.
BEGIN { unless ($INC{'t/lib/DBICTest/WithTaint.pm'}) {
# it is possible the test itself is initially invoked in taint mode
# and with relative paths *and* with a relative $^X and some other
# craziness... in short: just be proactive
require File::Spec;
if (length $ENV{PATH}) {
( $ENV{PATH} ) = join ( $Config{path_sep},
map { length($_) ? File::Spec->rel2abs($_) : () }
split /\Q$Config{path_sep}/, $ENV{PATH}
) =~ /\A(.+)\z/;
}
my ($perl) = $^X =~ /\A(.+)\z/;
{
local $ENV{PATH} = "/nosuchrootbindir";
system( $perl => -T => -e => '
use warnings;
use strict;
eval { my $x = $ENV{PATH} . (kill (0)); 1 } or exit 42;
exit 0;
');
}
if ( ($? >> 8) != 42 ) {
print "1..0 # SKIP Your perl does not seem to like/support -T...\n";
exit 0;
}
exec( $perl, qw( -I. -Mt::lib::DBICTest::WithTaint -T ), __FILE__ );
}}
# When in taint mode, PERL5LIB is ignored (but *not* unset)
# Put it back in INC so that local-lib users can actually
# run this test. Use lib.pm instead of an @INC unshift as
# it will correctly add any arch subdirs encountered
use lib (
grep { length }
map { split /\Q$Config{path_sep}\E/, (/^(.*)$/)[0] } # untainting regex
grep { defined }
@ENV{qw(PERL5LIB PERLLIB)} # precedence preserved by lib
);
# We need to specify 'lib' here as well because even if it was already in
# @INC, the above will have put our local::lib in front of it, so now an
# installed DBIx::Class will take precedence over the one we're trying to test.
# In some cases, prove will have supplied ./lib as an absolute path so it
# doesn't seem worth trying to remove the second copy since it won't hurt
# anything.
use lib qw(t/lib lib);
use Test::More;
use Test::Exception;
use DBICTest;
throws_ok (
sub { $ENV{PATH} . (kill (0)) },
qr/Insecure dependency in kill/,
'taint mode active'
) if length $ENV{PATH};
{
package DBICTest::Taint::Classes;
use Test::More;
use Test::Exception;
use base qw/DBIx::Class::Schema/;
lives_ok (sub {
__PACKAGE__->load_classes(qw/Manual/);
ok( __PACKAGE__->source('Manual'), 'The Classes::Manual source has been registered' );
__PACKAGE__->_unregister_source (qw/Manual/);
}, 'Loading classes with explicit load_classes worked in taint mode' );
lives_ok (sub {
__PACKAGE__->load_classes();
ok( __PACKAGE__->source('Auto'), 'The Classes::Auto source has been registered' );
ok( __PACKAGE__->source('Auto'), 'The Classes::Manual source has been re-registered' );
}, 'Loading classes with Module::Find/load_classes worked in taint mode' );
}
{
package DBICTest::Taint::Namespaces;
use Test::More;
use Test::Exception;
use base qw/DBIx::Class::Schema/;
lives_ok (sub {
__PACKAGE__->load_namespaces();
ok( __PACKAGE__->source('Test'), 'The Namespaces::Test source has been registered' );
}, 'Loading classes with Module::Find/load_namespaces worked in taint mode' );
}
# check that we can create a database and all
{
my $s = DBICTest->init_schema( sqlite_use_file => 1 );
my $art = $s->resultset('Artist')->search({}, {
prefetch => 'cds', order_by => 'artistid',
})->next;
is ($art->artistid, 1, 'got artist');
}
done_testing;
|
