From 573190b516e0b6ef533bc007c835ef154cb242d3 Mon Sep 17 00:00:00 2001 From: Graham Knop Date: Wed, 21 Jan 2015 19:33:52 -0500 Subject: [PATCH 1/2] ensure decode is tested against a tainted string to isolate failures --- t/taint.t | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) mode change 100644 => 100755 t/taint.t diff --git a/t/taint.t b/t/taint.t old mode 100644 new mode 100755 index 1ad033b..2446dd7 --- a/t/taint.t +++ b/t/taint.t @@ -3,7 +3,8 @@ use strict; use Encode qw(encode decode); use Scalar::Util qw(tainted); use Test::More; -my $str = "dan\x{5f3e}" . substr($ENV{PATH},0,0); # tainted string to encode +my $taint = substr($ENV{PATH},0,0); +my $str = "dan\x{5f3e}" . $taint; # tainted string to encode my $bin = encode('UTF-8', $str); # tainted binary to decode my @names = Encode->encodings(':all'); plan tests => 2 * @names; @@ -16,7 +17,7 @@ for my $name (@names) { skip $@, 1 if $@; ok tainted($e), "encode $name"; } - $bin = $e if $e; + $bin = $e.$taint if $e; eval { $d = decode($name, $bin); }; From f43da80043ae4ba222430e1dec6da2902e0248eb Mon Sep 17 00:00:00 2001 From: Graham Knop Date: Wed, 21 Jan 2015 19:38:22 -0500 Subject: [PATCH 2/2] maintain taint flag when encoding MIME on old perl On perl 5.8.8 and below, loading utf8_heavy.pl (which happens implictly in many places) will cause a split using a character class to not maintain the taint flag. Since the MIME header encoding reconstructs the string after splitting it, we need to explicitly copy the taint flag using a substr($s, 0, 0). --- lib/Encode/MIME/Header.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Encode/MIME/Header.pm b/lib/Encode/MIME/Header.pm index 090a177..96b1753 100644 --- a/lib/Encode/MIME/Header.pm +++ b/lib/Encode/MIME/Header.pm @@ -139,7 +139,7 @@ sub encode($$;$) { push @line, join( "\n " => @subline ); } $_[1] = '' if $chk; - return join( "\n", @line ); + return (substr($str, 0, 0) . join( "\n", @line )); } use constant HEAD => '=?UTF-8?';