# I may have missed this in the discussion list, and I did google about
# for it, so my apologies if I replicated other work.
# 
# Here is a patch to bloxsom.cgi that will fix the
# 
# "Insecure dependency in chdir while running setuid at .../File/Find.pm
# line 741,"
# 
# problem that ships with blosxom.  File::Find is being paranoid, which
# is a good thing.  We have to tell File::Find (from within blosxom)
# that everything is ok, and it can do the untainting for us.
# 
# Joe Landman <landman@scalableinformatics.com>
# 
# v0i2
# You might also find the need to untaint the $plugin variable in the
# foreach loop after doing the initial readdir() from $plugins_dir.
# 
# I've attached a patch file containing both Joe's patch and mine
# (untaint.patch).
# 
# Sam Pearson <sgp@domus.uklinux.net>

--- blosxom.cgi	2003-08-26 23:53:56.000000000 +0100
+++ blosxom-untainted.cgi	2005-03-14 11:00:37.000000000 +0000
@@ -1,5 +1,4 @@
-#!/usr/bin/perl
-
+#!/usr/bin/perl -T
 # Blosxom
 # Author: Rael Dornfest <rael@oreilly.com>
 # Version: 2.0
@@ -147,6 +146,7 @@
 # Plugins: Start
 if ( $plugin_dir and opendir PLUGINS, $plugin_dir ) {
   foreach my $plugin ( grep { /^\w+$/ && -f "$plugin_dir/$_"  } sort readdir(PLUGINS) ) {
+    $plugin =~ /(.+)/ and $plugin = $1;
     my($plugin_name, $off) = $plugin =~ /^\d*(\w+?)(_?)$/;
     my $on_off = $off eq '_' ? -1 : 1;
     require "$plugin_dir/$plugin";
@@ -171,7 +171,8 @@
     my(%files, %indexes, %others);
     find(
       sub {
-        my $d; 
+        my $d;
+	$File::Find::untaint = 1;
         my $curr_depth = $File::Find::dir =~ tr[/][]; 
         return if $depth and $curr_depth > $depth;