Allow Module::CPANfile in taint mode

[dylanwh]

I need to call this code under taint mode, and currently it dies. This fixes it and shouldn't hurt anyone.

[miyagawa]

$code i get it, but i think you have to untaint $file in the caller, am I right?

[dylanwh]

I will test without but I think both were required.

[miyagawa]

If you call load, maybe - but if you pass your own $file to parse(), you should be able to untaint it yourself.

[dylanwh]

How about this? The taint was coming from Cwd::abs_path().

[miyagawa]

I actually don't get the point of this whole taint patch because you're using taint mode to distrust such tainted variables. If we add a support for scalar ref in parse i.e. $cpanfile->parse(\$code) you should be able to provide an untainted code snippet to parse - is that good?

[dylanwh]

I can live with that. Although I don't think either Cwd::abs_path() or the content of the cpanfile should be considered tainted. it's not like I detaint modules when I load them with require(). The cpanfile in question is just another part of the code base.
(And we're running taint mode mostly to prevent foot-gunning ourselves during SQL generation.)

[miyagawa]

Yeah, it's mostly the same as do() or require() so in the POV it makes sense... let me see.

[dylanwh]

One this is fixed, I can remove a lot of cruft from Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1246528 which will make me so happy.

[dylanwh]

@miyagawa -- what direction would you like me to take with this PR to get it accepted? I hate to bother, but I am eager for Module::CPANfile to work under taint mode.

Thanks!

[dylanwh]

Thank you again! :)