Thanks for the heads up. I'll fix that.
Lincoln
On Saturday 13 December 2003 04:28 pm, Stas Bekman wrote:
> [CC'ing Lincoln on this one]
>
> Chris Ochs wrote:
> > I am using CGI.pm with mod perl, and simply because I hate using
> > $q->param('var') I use $q->import_names('CGI') so I can reference
> > the post variables as $CGI::var. CGI.pm does not clear this
> > namespace and I am not sure of the best way to clear an entire
> > namespace. Any ideas?
>
> CGI.pm does cleanup imported vars (I don't know why doesn't it work
> for you):
>
> sub import_names {
> my($self,$namespace,$delete) = self_or_default(@_);
> $namespace = 'Q' unless defined($namespace);
> die "Can't import names into \"main\"\n" if
> \%{"${namespace}::"} == \%::; if ($delete || $MOD_PERL || exists
> $ENV{'FCGI_ROLE'}) { # can anyone find an easier way to do this?
> foreach (keys %{"${namespace}::"}) {
> local *symbol = "${namespace}::${_}";
> undef $symbol;
> undef @symbol;
> undef %symbol;
> }
> }
> my($param,@value,$var);
> foreach $param ($self->param) {
> # protect against silly names
> ($var = $param)=~tr/a-zA-Z0-9_/_/c;
> $var =~ s/^(?=\d)/_/;
> local *symbol = "${namespace}::$var";
> @value = $self->param($param);
> @symbol = @value;
> $symbol = $value[0];
> }
> }
>
> Though looking at your example, where you use
> $q->import_names('CGI') instead of the default 'Q', it seems to be
> a bad idea, since CGI.pm blindly nukes all vars in any given
> namespace, including variables which weren't imported. Since you
> have called $q->import_names('CGI') it's going to nuke things like
> $CGI::VERSION and many other CGI:: variables that it needs to
> operate properly.
>
> I think CGI.pm needs to maintain a global list of vars that it has
> imported and only undef them. Even that's troublesome - if a
> malicious user changes the query string to include VERSION=234,
> it'll override the real $CGI::VERSION. Same goes for many other
> internal variables. It's quite possible that some can find security
> issues with this functionality.
>
> At the very least CGI.pm, shouldn't allow using 'CGI' as the
> namespace for importing names.
>
> __________________________________________________________________
> Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
> http://stason.org/ mod_perl Guide ---> http://perl.apache.org
> mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com
> http://modperlbook.org http://apache.org http://ticketmaster.com
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
