From bcc7f413d40988759ea3ee73f9beb52b299cf1bb Mon Sep 17 00:00:00 2001
From: Carlos Lima <carlos@multi>
Date: Fri, 7 Dec 2012 01:08:23 +0800
Subject: Fixes bug RT-78272

https://rt.cpan.org/Public/Bug/Display.html?id=78272

Just copied UNIVERSAL::require's solution to the same problem.
I didn't just use it as to not add any non-test dependency.
---
 t/bug-rt-78272.t | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 t/bug-rt-78272.t

(limited to 't')

diff --git a/t/bug-rt-78272.t b/t/bug-rt-78272.t
new file mode 100644
index 0000000..670782b
--- /dev/null
+++ b/t/bug-rt-78272.t
@@ -0,0 +1,33 @@
+use strict;
+use warnings;
+use Test::More tests => 1;
+use Test::Exception;
+
+subtest 'Bug RT-78272: Arbitrary code execution from $ENV' => sub {
+
+    # https://rt.cpan.org/Public/Bug/Display.html?id=78272
+    my $e = $ENV{PACKAGE_STASH_IMPLEMENTATION} = "PP; exit 1";
+    throws_ok {
+        require Package::Stash;
+    }
+    qr/^Could not load Package::Stash::$e/,
+      'Arbitrary code in $ENV throws exception';
+
+    throws_ok {
+        delete $INC{'Package/Stash.pm'};
+        require Package::Stash;
+    }
+    qr/^Could not load Package::Stash::$e/,
+      'Sanity check: forcing package reload throws the exception again';
+
+    lives_ok {
+        $ENV{PACKAGE_STASH_IMPLEMENTATION} = "PP";
+        delete $INC{'Package/Stash.pm'};
+        require Package::Stash;
+        new_ok(
+            'Package::Stash' => ['Foo'],
+            'Loaded and able to create instances'
+        );
+    }
+    'Valid $ENV value loads correctly';
+};
-- 
cgit v1.2.3