6 1_validate_14_untaint.t - Test CGI::Ex::Validate's ability to untaint tested fields
11 use Test::More tests => 14;
13 use lib ($Bin =~ /(.+)/ ? "$1/../lib" : ''); # add bin - but untaint it
15 ### Set up taint checking
16 sub is_tainted { local $^W; eval { eval("#" . substr(join("", @_), 0, 0)); 1; } ? 0 : 1 }
21 if (is_tainted($ok)) {
22 skip("is_tainted has false positives($@)", 14);
26 my $taint = join(",", $0, %ENV, @ARGV);
27 if (! is_tainted($taint) && open(my $fh, "/dev/urandom")) {
28 sysread($fh, $taint, 1);
30 $taint = substr($taint, 0, 0);
31 if (! is_tainted($taint)) {
32 skip("is_tainted doesn't appear to work", 14);
35 ### make sure tainted hash values don't bleed into other values
37 if (is_tainted($form)) {
38 skip("Tainted doesn't work", 14);
40 $form->{'foo'} = "123$taint";
41 $form->{'bar'} = "456$taint";
42 $form->{'baz'} = "789";
43 if (! is_tainted($form->{'foo'})) {
44 skip("Tainted hash key didn't work right", 14);
45 } elsif (is_tainted($form->{'baz'})) {
46 # untaint checking doesn't really work
47 skip("Hashes with mixed taint don't work right", 14);
50 ###----------------------------------------------------------------###
51 ### Looks good - here we go
53 use_ok('CGI::Ex::Validate');
57 ok(is_tainted($taint));
58 ok(is_tainted($form->{'foo'}));
59 ok(! is_tainted($form->{'baz'}));
60 ok(! is_tainted($form->{'non_existent_key'}));
62 sub validate { scalar CGI::Ex::Validate::validate(@_) }
65 ###----------------------------------------------------------------###
67 $e = validate($form, {
75 ok(! is_tainted($form->{foo}));
77 ###----------------------------------------------------------------###
79 $e = validate($form, {
86 ok(is_tainted($form->{bar}));
88 ###----------------------------------------------------------------###
90 $e = validate($form, {
98 ok(is_tainted($form->{bar}));
100 ###----------------------------------------------------------------###
102 ok(!is_tainted($form->{foo}));
103 ok( is_tainted($form->{bar}));
104 ok(!is_tainted($form->{baz}));