Scott Gifford wrote: > > > FYI, this test case works properly under my installation of Debian > mod_perl 1.29.0.2 under apache 1.3.34. > > Jalex, you might want to print out the value of your test variable and > make sure it is being received properly. I thought I saw the same > problem, until I realized that I hadn't set the log parameter to > anything, and undefined CGI parameters are not tainted. > > Is anybody else seeing this behavior under mod_perl 2? It would > indeed be a very serious bug. > > ----Scott. > >
Yes, I did try printing it out. In fact, I tried calling eval() on it, and no exception was thrown! If I tried calling eval on an expression derived from an environment variable, then the taint exception does get thrown as expected. It's just the return values of CGI's param() method that seem to have somehow become untainted. If I run same test scripts under mod_cgi rather than mod_perl2, the taint exceptions get thrown exactly where I expect to see them. -- View this message in context: http://www.nabble.com/CGI-%3Eparams%28%29-should-be-tainted%2C-right--tf4858333.html#a13961667 Sent from the mod_perl - General mailing list archive at Nabble.com.
