-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 3:24 AM +1000 3/28/01, Cees Hek wrote:
>
>$session->{data}->{_session_id}, which is really just the $session_id
>variable that you pulled out of a Cookie in your code below (and
>cookies are automatically tainted since it comes from the user). You will
>have to untaint the $session_id variable before you pass it to
>Apache::Session, and this error message should go away. See the perl
>manpages on how to untaint variables...
It looks to me like there's code in Session.pm that validates the
session id to make sure it's safe. It seems to me that it would be
appropriate for that code to untaint the data at that point. There
are a lot of routines that use that variable for generating file
names, and running perl -T with a web server is not a bad idea.
- --
Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects
Now Playing - Folk, Rock, odd stuff - http://www.somewhere.com/playlist.cgi
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOsA2sSZsPfdw+r2CEQL4uwCfU85AJURfZ0TNFngN11DLQZcwcbQAoJJ+
7Z/zsw0lOURKvcClTTAf82gF
=veaU
-----END PGP SIGNATURE-----
