jalex <[EMAIL PROTECTED]> writes: [...]
> Yes, I am aware various workarounds exist, however I don't think whether > this is a bug or not is really at all arguable: anything that is marked as > tainted in perl needs to be also marked tainted in mod_perl2. There is > nothing in the mod_perl documentation to suggest otherwise; in fact, there > are lots of tutorials out there that suggest that it is very important to > turn taint mode on exactly to catch unsafe handling of CGI parameters. I'm > left wondering what else isn't getting marked tainted that should be. I agree, this is a very serious bug. Taint checking is one of Perl's most important security features, and Web applications are one of the areas most in need of security. Having taint checking not working properly for mod_perl means that users are missing out on the huge safety net Perl provides to stop programmers from accidentally doing unsafe things, and worse they may be relying on that functionality to protect them, leaving their apps unexpectedly vulnerable. Do any of the mod_perl developers have a comment on this? I'm surprised it's not generating more feedback. ----Scott.
