Joe Schaefer wrote: > > "Kevin Spencer" <[EMAIL PROTECTED]> writes: > > [...] > >> Using the URL: >> >> http://myserverhere/cgi-bin/taint-test/taint.pl?log=foo >> >> Produces: >> >> Oops! Where's the taint?!? >> >> $^TAINT=1 > > CGI.pm uses $r->args to get at the query string, > which isn't marked as tainted by mod_perl2. Arguably > it's a bug in mod_perl, but you could use APR::Request > instead, which marks all params tainted. >
Yes, I am aware various workarounds exist, however I don't think whether this is a bug or not is really at all arguable: anything that is marked as tainted in perl needs to be also marked tainted in mod_perl2. There is nothing in the mod_perl documentation to suggest otherwise; in fact, there are lots of tutorials out there that suggest that it is very important to turn taint mode on exactly to catch unsafe handling of CGI parameters. I'm left wondering what else isn't getting marked tainted that should be. -- View this message in context: http://www.nabble.com/CGI-%3Eparams%28%29-should-be-tainted%2C-right--tf4858333.html#a14073958 Sent from the mod_perl - General mailing list archive at Nabble.com.
