On Fri, Nov 07, 2003 at 10:18:45PM -0500, Geoffrey Young wrote: > >> PerlSwitches -T > > > >That's the right way. > > I'm not entirely sure, but IIRC, if you run a <Perl> section or > PerlLoadModule before PerlSwitches its too late to specify taint mode. I > might be wrong, but it's worth checking.
Yah, I anticipated that. PerlSwitches is the first thing that mentions perl in apache2.conf. I find that taint mode _is_ on, see below ... > >> warn tainted(param('foo')); # false for any given foo > >> > >>Am I doing something wrong? > > > >Where does tainted() come from? I'm not familiar with that function. > > probably from Taint.pm (whose code is quite interesting if you take a look > at it - a one liner with a paragraph of comments :) use Scalar::Util qw(tainted); # included with perl 5.8.x This works correctly: warn "path".tainted($ENV{PATH}); In fact, everything in %ENV is tainted except for GATEWAY_INTERFACE and MOD_PERL. It looks like a bug in CGI::Simple in _parse_multipart or _add_param. For a quick work-around, does anyone know how to tell perl that data is tainted? -- A new cognitive theory of emotion, http://savannah.nongnu.org/projects/aleader -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html