I spent some time over the weekend looking at this, without much luck. I have a 'fix' - make FETCH IMA_NO_TAINT_IN|IMA_NO_TAINT_OUT, in DBI.pm.
That works arround the problem, but I'm not too sure that its a valid fix. The alternate suggestion, given back in August (of just having the dispatch method test for methods starting with fetch, rather than testing in _set_fbav) also works, but then stuff like func isn't tainted. OTOH, this is just a workarround, and there is no guarantee that it won't break again. I'm not sure what Tim prefers. Both interpretations of TaintOut (ie taint data out, vs taint everything) are probably valid, as long as they're appropriately documented. Personally, I think that connecting to + relying on a database whose output you don't trust is a bit silly. Especially with TaintIn and TaintOut set, where you are going to want to use returned data from the db in subsequent statements, which is the problem here. TaintIn is a different story, though, which is why I wanted these split up to start with. I would like to know what the change made in perl5.6.1 which fixed this was, though - any clues? Thoughts? Bradley
