Remove tainting behavior. Remove Scalar::Util as a prereq.

petdance · oalders · commit fe65d9bc7916 · 2024-10-27T14:55:13.000-04:00
diff --git a/Changes b/Changes
@@ -1,6 +1,9 @@
 Revision history for WWW::Mechanize
 
 {{$NEXT}}
+    [ENHANCEMENTS]
+    - WWW::Mechanize no longer taints the responses it receives.  This also
+    removes Test::Taint as a prerequisite.
 
 2.19      2024-09-16 15:25:45Z
     [DOCUMENTATION]
diff --git a/dist.ini b/dist.ini
@@ -25,7 +25,6 @@ dir = script
 [Prereqs / RuntimeRequires]
 perl = 5.008
 HTML::Form = 6.08
-Scalar::Util = 1.14
 
 [Prereqs / TestRequires]
 HTTP::Daemon = 6.12
diff --git a/lib/WWW/Mechanize.pm b/lib/WWW/Mechanize.pm
@@ -140,7 +140,6 @@ use Tie::RefHash       ();
 use HTTP::Request 1.30 ();
 use HTML::Form 1.00    ();
 use HTML::TokeParser   ();
-use Scalar::Util       qw( tainted );
 
 use parent 'LWP::UserAgent';
 
@@ -3364,8 +3363,6 @@ sub _update_page {
     my $content = $res->decoded_content();
     $content = $res->content if ( not defined $content );
 
-    $content .= _taintedness();
-
     if ( $self->is_html ) {
         $self->update_html($content);
     }
@@ -3376,43 +3373,6 @@ sub _update_page {
     return $res;
 }    # _update_page
 
-our $_taintbrush;
-
-# This is lifted wholesale from Test::Taint
-sub _taintedness {
-    return $_taintbrush if defined $_taintbrush;
-
-    # Somehow we need to get some taintedness into our $_taintbrush.
-    # Let's try the easy way first. Either of these should be
-    # tainted, unless somebody has untainted them, so this
-    # will almost always work on the first try.
-    # (Unless, of course, taint checking has been turned off!)
-    $_taintbrush = substr( "$0$^X", 0, 0 );
-    return $_taintbrush if tainted($_taintbrush);
-
-    # Let's try again. Maybe somebody cleaned those.
-    $_taintbrush = substr( join( q{}, grep { defined } @ARGV, %ENV ), 0, 0 );
-    return $_taintbrush if tainted($_taintbrush);
-
-    # If those don't work, go try to open some file from some unsafe
-    # source and get data from them.  That data is tainted.
-    # (Yes, even reading from /dev/null works!)
-    for my $filename ( qw(/dev/null / . ..), values %INC, $0, $^X ) {
-        if ( open my $fh, '<', $filename ) {
-            my $data;
-            if ( defined sysread $fh, $data, 1 ) {
-                $_taintbrush = substr( $data, 0, 0 );
-                last if tainted($_taintbrush);
-            }
-        }
-    }
-
-    # Sanity check
-    die("Our taintbrush should have zero length!") if length $_taintbrush;
-
-    return $_taintbrush;
-}
-
 =head2 $mech->_modify_request( $req )
 
 Modifies a L<HTTP::Request> before the request is sent out,
diff --git a/t/taint.t b/t/taint.t
