> Sorry, getting out of good ideas.. Surprise, surprise: I found out that my code does not work under mod_perl 1.23 either! And I found the real solution: one has to add
PerlSetupEnv Off to the Apache configuration file. Now the untainting mumbo-jumbo in <perl> section works. Warning: this has the consequence of breaking the part of the CGI environment emulation that deals with environment (e.g. instead of $ENV{"HTTP_USER_AGENT"}, you now have to check Apache->request()->subprocess_env("HTTP_USER_AGENT")). Glancing at its source code, I don't think CGI.pm will survive that... BTW, I finally got around to reading mod_perl's source, and it is now clear to me that the environment, when being copied from ->subprocess_env() into %ENV, gets tainted (around line 704 in src/modules/perl/mod_perl.c). The whole %ENV gets tainted, not just the HTTP_USER_AGENT and such from the CGI context, so PATH is tainted as well. This explains our now common problem - and also guarantees that there is no easy way out of it if you use CGI.pm yourself :-(. Hope I'm being helpful at last, -- Dominique QUATRAVAUX Ingénieur senior 01 44 42 00 08 IDEALX