* Server Version: Apache/1.3.13-dev (Unix) mod_perl/1.24_01-dev
* perl, version 5.005_03 built for sun4-solaris
* SunOS 5.6
* Apache::Session 1.5
* Apache::Session::Lock::File 1.00
With taint checking turned on in my modperl server, as in:
PerlTaintCheck Off
PerlWarn Off
PerlFreshRestart Off
using the Apache::Session::File causes Apache::Session::Lock::File to
croak on the second access to the session file with a message in my
error_log stating:
[Thu Jun 8 21:15:03 2000] [error] access to /TS/ failed for XX.XX.XX.XX, reason:
Could not access session storage: Insecure dependency in open while running with -T
switch at /opt/gnu/lib/perl5/site_perl/5.005/Apache/Session/Lock/File.pm line 62.
The line of code in my handler that is outputing this message is:
eval {tie %$session, 'Apache::Session::File', $sesid, $SESSOPTS};
if ($@) {
$r->log_reason("Could not access session storage: $@", $r->uri);
return SERVER_ERROR;
}
and finally, the options passed to tie() are:
%SESSOPTS = {'Directory' => '/somepath/sessions',
'LockDirectory' => '/pathtolocks/sessions',
'Transaction' => 1};
permissions on these two directories are:
drwxrwx--- 2 nobody nobody 512 Jun 8 21:27 /somepath/sessions/
drwxrwx--- 2 nobody nobody 512 Jun 8 21:28 /pathtolocks/sessions/
where nobody.nobody are the user/group of the httpd processes.
The file is initially created, along with its correspond lock file, but
a second attempt to tie() to the existing session file returns the taint
error. Disabling taint checking in the server allows the session logic
to proceed without error, by the way. I would prefer not to run in this
mode, however.
Having exhausted my understanding of tainted data, I'm hoping I can get
some hints from this list.
Thanks for your attention.
Peace.
