Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by open()ing a "pesky pipe" (such as passing "commands|" as a filename) or by passing arbitrary strings to eval().
Fix issue #19 (AKA rschupp/PAR-Packer#78): invalid paths in zip file
Restore behaviour from version 1.31 when using "pp --execute ..." or "scandeps.pl --execute ...".
When using "scan_deps(execute => 1, ...)", %INC as gleaned from running the script must be sanitized. Contrary to documentation "The key is the filename you specified (with module names converted to pathnames)" %INC *may* contain keys that are *absolute pathnames* (or start with "./relativ/path" when "relative/path" is in @PATH). Examples are autosplitted modules (for autosplit.ix and *.al files). pp will pack these absolute paths into the zip (Archive::Zip doesn't complain) which results in strange error messages when the packed executable tries to unpack them under CACHEDIR/inc on Windows.
Add t/19-autosplit.t to test for this. Add IPC::Run3 to TEST_REQUIRES, used in t/19-autosplit.t