Fixes bug RT-78272

https://rt.cpan.org/Public/Bug/Display.html?id=78272

Just copied UNIVERSAL::require's solution to the same problem.
I didn't just use it as to not add any non-test dependency.

1 files changed, 33 insertions, 0 deletions

diff --git a/t/bug-rt-78272.t b/t/bug-rt-78272.t
new file mode 100644
index 0000000..670782b
--- /dev/null
+++ b/t/bug-rt-78272.t
@@ -0,0 +1,33 @@
+use strict;
+use warnings;
+use Test::More tests => 1;
+use Test::Exception;
+
+subtest 'Bug RT-78272: Arbitrary code execution from $ENV' => sub {
+
+    # https://rt.cpan.org/Public/Bug/Display.html?id=78272
+    my $e = $ENV{PACKAGE_STASH_IMPLEMENTATION} = "PP; exit 1";
+    throws_ok {
+        require Package::Stash;
+    }
+    qr/^Could not load Package::Stash::$e/,
+      'Arbitrary code in $ENV throws exception';
+
+    throws_ok {
+        delete $INC{'Package/Stash.pm'};
+        require Package::Stash;
+    }
+    qr/^Could not load Package::Stash::$e/,
+      'Sanity check: forcing package reload throws the exception again';
+
+    lives_ok {
+        $ENV{PACKAGE_STASH_IMPLEMENTATION} = "PP";
+        delete $INC{'Package/Stash.pm'};
+        require Package::Stash;
+        new_ok(
+            'Package::Stash' => ['Foo'],
+            'Loaded and able to create instances'
+        );
+    }
+    'Valid $ENV value loads correctly';
+};