From: mkanat%bugzilla.org <>
Date: Mon, 2 Nov 2009 14:50:18 +0000 (+0000)
Subject: Bug 518404: Make email_in.pl run in taint mode
X-Git-Tag: bugzilla-3.5.1~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e0deda7524d6389ecb93d291c4f6951039f1a086;p=thirdparty%2Fbugzilla.git

Bug 518404: Make email_in.pl run in taint mode
Patch by Vitaliy Filippov <vitalif@yourcmc.ru> r=mkanat, a=mkanat
---

diff --git a/email_in.pl b/email_in.pl
old mode 100644
new mode 100755
index f06dd0e31c..1ec2a19df5
--- a/email_in.pl
+++ b/email_in.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -26,7 +26,11 @@ use warnings;
 # run from this one so that it can find its modules.
 use Cwd qw(abs_path);
 use File::Basename qw(dirname);
-BEGIN { chdir dirname(abs_path($0)); }
+BEGIN {
+    # Untaint the abs_path.
+    my ($a) = abs_path($0) =~ /^(.*)$/;
+    chdir dirname($a);
+}
 
 use lib qw(. lib);
 
@@ -503,7 +507,7 @@ normal Bugzilla interface. So, for example, you cannot reassign
 a bug and change its status at the same time.
 
 The email interface only accepts emails that are correctly formatted
-perl RFC2822. If you send it an incorrectly formatted message, it
+per RFC2822. If you send it an incorrectly formatted message, it
 may behave in an unpredictable fashion.
 
 You cannot send an HTML mail along with attachments. If you do, Bugzilla