From: joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>
Date: Sat, 13 Oct 2007 22:18:33 +0000 (+0000)
Subject: untaint plugin filename, will be tainted if specified at the command line
X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/commitdiff_plain/5b7edbf2a43b81e19adfbe6ed915798f55292f3d

untaint plugin filename, will be tainted if specified at the command line
---

diff --git a/IkiWiki/Plugin/external.pm b/IkiWiki/Plugin/external.pm
index 9c31a70eb..f76b42c99 100644
--- a/IkiWiki/Plugin/external.pm
+++ b/IkiWiki/Plugin/external.pm
@@ -20,7 +20,8 @@ sub import { #{{{
 	return unless defined $plugin;
 
 	my ($plugin_read, $plugin_write);
-	my $pid = open2($plugin_read, $plugin_write, $plugin);
+	my $pid = open2($plugin_read, $plugin_write,
+		IkiWiki::possibly_foolish_untaint($plugin));
 
 	# open2 doesn't respect "use open ':utf8'"
 	binmode($plugin_read, ':utf8');