Thanks for the heads up. I'll fix that. Lincoln
On Saturday 13 December 2003 04:28 pm, Stas Bekman wrote: > [CC'ing Lincoln on this one] > > Chris Ochs wrote: > > I am using CGI.pm with mod perl, and simply because I hate using > > $q->param('var') I use $q->import_names('CGI') so I can reference > > the post variables as $CGI::var. CGI.pm does not clear this > > namespace and I am not sure of the best way to clear an entire > > namespace. Any ideas? > > CGI.pm does cleanup imported vars (I don't know why doesn't it work > for you): > > sub import_names { > my($self,$namespace,$delete) = self_or_default(@_); > $namespace = 'Q' unless defined($namespace); > die "Can't import names into \"main\"\n" if > \%{"${namespace}::"} == \%::; if ($delete || $MOD_PERL || exists > $ENV{'FCGI_ROLE'}) { # can anyone find an easier way to do this? > foreach (keys %{"${namespace}::"}) { > local *symbol = "${namespace}::${_}"; > undef $symbol; > undef @symbol; > undef %symbol; > } > } > my($param,@value,$var); > foreach $param ($self->param) { > # protect against silly names > ($var = $param)=~tr/a-zA-Z0-9_/_/c; > $var =~ s/^(?=\d)/_/; > local *symbol = "${namespace}::$var"; > @value = $self->param($param); > @symbol = @value; > $symbol = $value[0]; > } > } > > Though looking at your example, where you use > $q->import_names('CGI') instead of the default 'Q', it seems to be > a bad idea, since CGI.pm blindly nukes all vars in any given > namespace, including variables which weren't imported. Since you > have called $q->import_names('CGI') it's going to nuke things like > $CGI::VERSION and many other CGI:: variables that it needs to > operate properly. > > I think CGI.pm needs to maintain a global list of vars that it has > imported and only undef them. Even that's troublesome - if a > malicious user changes the query string to include VERSION=234, > it'll override the real $CGI::VERSION. Same goes for many other > internal variables. It's quite possible that some can find security > issues with this functionality. > > At the very least CGI.pm, shouldn't allow using 'CGI' as the > namespace for importing names. > > __________________________________________________________________ > Stas Bekman JAm_pH ------> Just Another mod_perl Hacker > http://stason.org/ mod_perl Guide ---> http://perl.apache.org > mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com > http://modperlbook.org http://apache.org http://ticketmaster.com -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html