From 88df0132fe7e987da18a2c0e11890d1604afb344 Mon Sep 17 00:00:00 2001
From: Andreas Romeyke <andreas.romeyke@slub-dresden.de>
Date: Thu, 16 Feb 2023 10:39:17 +0100
Subject: [PATCH] - untaint environment

---
 lib/SLUB/LZA/Rosetta/TA.pm | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/SLUB/LZA/Rosetta/TA.pm b/lib/SLUB/LZA/Rosetta/TA.pm
index 87fd344..81b2140 100644
--- a/lib/SLUB/LZA/Rosetta/TA.pm
+++ b/lib/SLUB/LZA/Rosetta/TA.pm
@@ -19,8 +19,14 @@ our %config;
 our %cache;
 our $cache_path;
 our $SALT = pack("H16", "There is no security by obscurity!");
-BEGIN{
-    my $home = path($ENV{'HOME'});
+BEGIN {
+    my $rx_psep = qr{[/\\]};
+    my $rx_abs  = qr{[A-Z]:};
+    my $rx_sub  = qr{([[:print:]]+)};
+    $ENV{'HOME'} =~ m{^(($rx_abs)?($rx_psep$rx_sub)+)$}m;
+    # untaint $homestr
+    my $homestr = $1;
+    my $home = path($homestr);
     if ($home->is_dir() && !$home->is_rootdir) {
         my $config_path = $home->child('.config')->child('ta-tool.rc');
         our $config_file = $config_path;
@@ -32,10 +38,11 @@ BEGIN{
             }
         }
         $cache_path = $home->child('.cache')->child('ta-tool.cache');
-        if ($cache_path->is_file and -s $cache_path < 8192*1024) { # if size > 8MB, write new at end, see END{}-block
+        if ($cache_path->is_file and -s $cache_path < 8192 * 1024) { # if size > 8MB, write new at end, see END{}-block
             %cache = YAML::LoadFile($cache_path);
         }
     }
+
 }
 
 END {
-- 
GitLab