mg.c, Cwd.pm - Empty path is the same as "." which is forbidden under taint

Having a relative path, including ".", is forbidden under taint. On *nix
an empty PATH or an empty PATH component is equivalent to a PATH of ".",
so they should be forbidden as well.

Note that on Windows the current working directory is ALWAYS checked
first if you try to execute something that does not specify its path,
regardless of the PATH.

I do not know what happens on VMS and I do not have access to a
VMS environment to test. There are totally different codepaths for
VMS as well. This patch does not (or rather should not) change
behavior for VMS.

Note this includes a version bump for all modules in dist/PathTools

12 files changed, 22 insertions, 12 deletions

diff --git a/dist/PathTools/Changes b/dist/PathTools/Changes
index 1e65e9c4e2..99e0fe3cfb 100644
--- a/dist/PathTools/Changes
+++ b/dist/PathTools/Changes
@@ -1,5 +1,9 @@
 Revision history for Perl distribution PathTools.
 
+3.85
+
+- Fix issue related to tainting empty PATH
+
 3.84
 
 - Add PerlIO_readlink backcompat defines to Cws.xs
diff --git a/dist/PathTools/Cwd.pm b/dist/PathTools/Cwd.pm
index 06835833e6..6fb135ce63 100644
--- a/dist/PathTools/Cwd.pm
+++ b/dist/PathTools/Cwd.pm
@@ -3,7 +3,7 @@ use strict;
 use Exporter;
 
 
-our $VERSION = '3.84';
+our $VERSION = '3.85';
 my $xs_version = $VERSION;
 $VERSION =~ tr/_//d;
 
@@ -192,8 +192,14 @@ sub _backtick_pwd {
     # Localize %ENV entries in a way that won't create new hash keys.
     # Under AmigaOS we don't want to localize as it stops perl from
     # finding 'sh' in the PATH.
-    my @localize = grep exists $ENV{$_}, qw(PATH IFS CDPATH ENV BASH_ENV) if $^O ne "amigaos";
+    my @localize = grep exists $ENV{$_}, qw(IFS CDPATH ENV BASH_ENV) if $^O ne "amigaos";
     local @ENV{@localize} if @localize;
+    # empty PATH is the same as "." on *nix, so localize it to /something/
+    # we won't *use* the path as code above turns $pwd_cmd into a specific
+    # executable, but it will blow up anyway under taint. We could set it to
+    # anything absolute. Perhaps "/" would be better.
+    local $ENV{PATH}= "/usr/bin"
+        if $^O ne "vms" and $^O ne "amigaos";
     
     my $cwd = `$pwd_cmd`;
     # Belt-and-suspenders in case someone said "undef $/".
diff --git a/dist/PathTools/lib/File/Spec.pm b/dist/PathTools/lib/File/Spec.pm
index e0a49edb83..da3c544b84 100644
--- a/dist/PathTools/lib/File/Spec.pm
+++ b/dist/PathTools/lib/File/Spec.pm
@@ -2,7 +2,7 @@ package File::Spec;
 
 use strict;
 
-our $VERSION = '3.84';
+our $VERSION = '3.85';
 $VERSION =~ tr/_//d;
 
 my %module = (
diff --git a/dist/PathTools/lib/File/Spec/AmigaOS.pm b/dist/PathTools/lib/File/Spec/AmigaOS.pm
index a29617c7bd..0bb2d261cc 100644
--- a/dist/PathTools/lib/File/Spec/AmigaOS.pm
+++ b/dist/PathTools/lib/File/Spec/AmigaOS.pm
@@ -3,7 +3,7 @@ package File::Spec::AmigaOS;
 use strict;
 require File::Spec::Unix;
 
-our $VERSION = '3.84';
+our $VERSION = '3.85';
 $VERSION =~ tr/_//d;
 
 our @ISA = qw(File::Spec::Unix);
diff --git a/dist/PathTools/lib/File/Spec/Cygwin.pm b/dist/PathTools/lib/File/Spec/Cygwin.pm
index e21c0bb550..aadc7c6009 100644
--- a/dist/PathTools/lib/File/Spec/Cygwin.pm
+++ b/dist/PathTools/lib/File/Spec/Cygwin.pm
@@ -3,7 +3,7 @@ package File::Spec::Cygwin;
 use strict;
 require File::Spec::Unix;
 
-our $VERSION = '3.84';
+our $VERSION = '3.85';
 $VERSION =~ tr/_//d;
 
 our @ISA = qw(File::Spec::Unix);
diff --git a/dist/PathTools/lib/File/Spec/Epoc.pm b/dist/PathTools/lib/File/Spec/Epoc.pm
index 2429bb2925..4b9389a0ff 100644
--- a/dist/PathTools/lib/File/Spec/Epoc.pm
+++ b/dist/PathTools/lib/File/Spec/Epoc.pm
@@ -2,7 +2,7 @@ package File::Spec::Epoc;
 
 use strict;
 
-our $VERSION = '3.84';
+our $VERSION = '3.85';
 $VERSION =~ tr/_//d;
 
 require File::Spec::Unix;
diff --git a/dist/PathTools/lib/File/Spec/Functions.pm b/dist/PathTools/lib/File/Spec/Functions.pm
index a09150cfdf..1513715a9a 100644
--- a/dist/PathTools/lib/File/Spec/Functions.pm
+++ b/dist/PathTools/lib/File/Spec/Functions.pm
@@ -3,7 +3,7 @@ package File::Spec::Functions;
 use File::Spec;
 use strict;
 
-our $VERSION = '3.84';
+our $VERSION = '3.85';
 $VERSION =~ tr/_//d;
 
 require Exporter;
diff --git a/dist/PathTools/lib/File/Spec/Mac.pm b/dist/PathTools/lib/File/Spec/Mac.pm
index 369d1f02ca..34dc67c47b 100644
--- a/dist/PathTools/lib/File/Spec/Mac.pm
+++ b/dist/PathTools/lib/File/Spec/Mac.pm
@@ -4,7 +4,7 @@ use strict;
 use Cwd ();
 require File::Spec::Unix;
 
-our $VERSION = '3.84';
+our $VERSION = '3.85';
 $VERSION =~ tr/_//d;
 
 our @ISA = qw(File::Spec::Unix);
diff --git a/dist/PathTools/lib/File/Spec/OS2.pm b/dist/PathTools/lib/File/Spec/OS2.pm
index 604e2e30e9..5fe1751149 100644
--- a/dist/PathTools/lib/File/Spec/OS2.pm
+++ b/dist/PathTools/lib/File/Spec/OS2.pm
@@ -4,7 +4,7 @@ use strict;
 use Cwd ();
 require File::Spec::Unix;
 
-our $VERSION = '3.84';
+our $VERSION = '3.85';
 $VERSION =~ tr/_//d;
 
 our @ISA = qw(File::Spec::Unix);
diff --git a/dist/PathTools/lib/File/Spec/Unix.pm b/dist/PathTools/lib/File/Spec/Unix.pm
index 52904b4857..77d5303809 100644
--- a/dist/PathTools/lib/File/Spec/Unix.pm
+++ b/dist/PathTools/lib/File/Spec/Unix.pm
@@ -3,7 +3,7 @@ package File::Spec::Unix;
 use strict;
 use Cwd ();
 
-our $VERSION = '3.84';
+our $VERSION = '3.85';
 $VERSION =~ tr/_//d;
 
 =head1 NAME
diff --git a/dist/PathTools/lib/File/Spec/VMS.pm b/dist/PathTools/lib/File/Spec/VMS.pm
index 69a39bb5ff..eadea51a99 100644
--- a/dist/PathTools/lib/File/Spec/VMS.pm
+++ b/dist/PathTools/lib/File/Spec/VMS.pm
@@ -4,7 +4,7 @@ use strict;
 use Cwd ();
 require File::Spec::Unix;
 
-our $VERSION = '3.84';
+our $VERSION = '3.85';
 $VERSION =~ tr/_//d;
 
 our @ISA = qw(File::Spec::Unix);
diff --git a/dist/PathTools/lib/File/Spec/Win32.pm b/dist/PathTools/lib/File/Spec/Win32.pm
index b05b535ebb..56c1ba900c 100644
--- a/dist/PathTools/lib/File/Spec/Win32.pm
+++ b/dist/PathTools/lib/File/Spec/Win32.pm
@@ -5,7 +5,7 @@ use strict;
 use Cwd ();
 require File::Spec::Unix;
 
-our $VERSION = '3.84';
+our $VERSION = '3.85';
 $VERSION =~ tr/_//d;
 
 our @ISA = qw(File::Spec::Unix);