Sorry, getting out of good ideas..
Surprise, surprise: I found out that my code does not work under mod_perl 1.23 either! And I found the real solution: one has to add
PerlSetupEnv Off
to the Apache configuration file. Now the untainting mumbo-jumbo in <perl> section works.
Warning: this has the consequence of breaking the part of the CGI environment emulation that deals with environment (e.g. instead of $ENV{"HTTP_USER_AGENT"}, you now have to check Apache->request()->subprocess_env("HTTP_USER_AGENT")). Glancing at its source code, I don't think CGI.pm will survive that...
BTW, I finally got around to reading mod_perl's source, and it is now clear to me that the environment, when being copied from ->subprocess_env() into %ENV, gets tainted (around line 704 in src/modules/perl/mod_perl.c). The whole %ENV gets tainted, not just the HTTP_USER_AGENT and such from the CGI context, so PATH is tainted as well. This explains our now common problem - and also guarantees that there is no easy way out of it if you use CGI.pm yourself :-(.
You need to untaint the variables before you use them. Since they get reset on every request, you need to untaint them inside your script/handler's run time, not the BEGIN block...:
http://perl.apache.org/docs/1.0/guide/porting.html#BEGIN_blocks
it should work just fine with mp1 and mp2.
Relying on 'PerlSetupEnv Off' is not a very good idea, since if you want to release your code for others to use, they may not be able to turn it off, since it'll break their CGI-legacy code as you have observed.
FWIW, I use the following code when I need to use ``|qx:
local $ENV{PATH} = "/bin:/usr/bin";
local @ENV{ qw(IFS CDPATH ENV BASH_ENV) };
__________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
