On Fri, Nov 07, 2003 at 10:18:45PM -0500, Geoffrey Young wrote:
> >> PerlSwitches -T
> >
> >That's the right way.
>
> I'm not entirely sure, but IIRC, if you run a <Perl> section or
> PerlLoadModule before PerlSwitches its too late to specify taint mode. I
> might be wrong, but it's worth checking.
Yah, I anticipated that. PerlSwitches is the first thing that
mentions perl in apache2.conf. I find that taint mode _is_
on, see below ...
> >> warn tainted(param('foo')); # false for any given foo
> >>
> >>Am I doing something wrong?
> >
> >Where does tainted() come from? I'm not familiar with that function.
>
> probably from Taint.pm (whose code is quite interesting if you take a look
> at it - a one liner with a paragraph of comments :)
use Scalar::Util qw(tainted); # included with perl 5.8.x
This works correctly:
warn "path".tainted($ENV{PATH});
In fact, everything in %ENV is tainted except for GATEWAY_INTERFACE
and MOD_PERL. It looks like a bug in CGI::Simple in _parse_multipart
or _add_param.
For a quick work-around, does anyone know how to tell perl that
data is tainted?
--
A new cognitive theory of emotion, http://savannah.nongnu.org/projects/aleader
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
