Quoting Martin Moss <[EMAIL PROTECTED]>: > All, > Can Anybody see what I'm doing wrong here? > > I have the following error :- > [error] Insecure dependency in unlink while running with -T switch at > /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106.
The problem is not with your code, it is that Apache::Session::File does not work in Taint mode. Apache::Session::Store::File gets the session ID from a file (which means session_is is tainted), and then uses the tainted session_id to delete a file (hence the unlink error). A quick fix for this is for you to untaint the session ID yourself after the session has been unserialized. Put the following two lines right after you tie the session: $session{_session_id} =~ /^([a-zA-Z0-9]+)$/; $session{_session_id} = $1; This probably should be fixed in Apache::Session itself as I am sure other people will run into it. By the way, you really shouldn't be using Apache::Session::File anyway for performance reasons. At least use Apache::Session::DB_File which most likely doesn't suffer from this taint problem and will be much quicker. Cees > > When I run the following subroutine:- > > sub delete_session > { > my $self=shift; > my $session_id=shift; > > if ($session_id =~ /^(\w\w*)$/) > { > $session_id = $1; # $data now untainted > } > else > { > die "Bad Tainted data in $session_id"; # log this somewhere > } > > die $self->{lh}->maketext("No Session_id given") unless ($session_id); > > my $t=time; > my %session; > > my $Directory = My::Conf::APACHE_SESSIONS_TMPDIR; > my $LockDirectory = My::Conf::APACHE_SESSIONS_LOCKDIR; > > $Directory="XX_GRRRRR_XX$Directory"."XX_GRRRRR_XX"; #e.g. > '/path/to/dir/' > $LockDirectory="XX_GRRRRR_XX$LockDirectory"."XX_GRRRRR_XX"; #e.g. > '/path/to/dir/' > > if ($Directory =~ /^XX_GRRRRR_XX(.*)XX_GRRRRR_XX$/) > { > $Directory = $1; # $data now untainted > } > else > { > die "Bad Tainted data in $Directory"; # log this somewhere > } > > if ($LockDirectory =~ /^XX_GRRRRR_XX(.*)XX_GRRRRR_XX$/) > { > $LockDirectory = $1; # $data now untainted > } > else > { > die "Bad Tainted data in $LockDirectory"; # log this somewhere > } > > #Load an existing session > eval > { > tie %session, 'Apache::Session::File',$session_id, > { > Directory => Bficient::Conf::APACHE_SESSIONS_TMPDIR, > LockDirectory => Bficient::Conf::APACHE_SESSIONS_LOCKDIR, > }; > }; > if ($@) > { > die $self->{lh}->maketext("Couldn't Load Apache::Session - \"[_1]\" > For '\"[_2]\"'",$@,$self->UserName); > } > > print STDERR "Just about to unlink\n"; > tied(%session)->delete; > return 1; > } > >