--- spamassassin/trunk/lib/Mail/SpamAssassin.pm	2022/04/16 06:45:01	1899899
+++ spamassassin/trunk/lib/Mail/SpamAssassin.pm	2022/04/16 07:06:20	1899900
@@ -1937,7 +1937,7 @@
     dbg("config: error accessing $fname: $!");
   } else {  # does not exist, create it
     eval {
-      mkpath($fname, 0, 0700);  1;
+      mkpath(Mail::SpamAssassin::Util::untaint_file_path($fname), 0, 0700);  1;
     } or do {
       my $eval_stat = $@ ne '' ? $@ : "errno=$!";  chomp $eval_stat;
       dbg("config: mkdir $fname failed: $eval_stat");