Re: [error] Insecure dependency in unlink while running with -T switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106

2003-02-28 Thread Martin Moss 
Is Apache::Session::DB_type Faster than Apache::Session::File?

I already use a lot of DB connections and I used Apache::Session::File to
reduce this,

Marty
- Original Message -
From: Cees Hek [EMAIL PROTECTED]
To: Martin Moss [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, February 28, 2003 5:39 AM
Subject: Re: [error] Insecure dependency in unlink while running with -T
switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line
106


 Quoting Martin Moss [EMAIL PROTECTED]:

  All,
  Can Anybody see what I'm doing wrong here?
 
  I have the following error :-
  [error] Insecure dependency in unlink while running with -T switch at
  /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106.

   The problem is not with your code, it is that Apache::Session::File
does
 not work in Taint mode.  Apache::Session::Store::File gets the session ID
from a
 file (which means session_is is tainted), and then uses the tainted
session_id
 to delete a file (hence the unlink error).

   A quick fix for this is for you to untaint the session ID yourself
after
 the session has been unserialized. Put the following two lines right after
you
 tie the session:

 $session{_session_id} =~ /^([a-zA-Z0-9]+)$/;
 $session{_session_id} = $1;

   This probably should be fixed in Apache::Session itself as I am sure
other
 people will run into it.

   By the way, you really shouldn't be using Apache::Session::File
anyway for
 performance reasons. At least use Apache::Session::DB_File which most
likely
 doesn't suffer from this taint problem and will be much quicker.

 Cees



 
  When I run the following subroutine:-
 
  sub delete_session
  {
my $self=shift;
my $session_id=shift;
 
if ($session_id =~ /^(\w\w*)$/)
{
  $session_id = $1; # $data now untainted
}
else
{
  die Bad Tainted data in $session_id;# log this somewhere
}
 
die $self-{lh}-maketext(No Session_id given) unless ($session_id);
 
my $t=time;
my %session;
 
my $Directory = My::Conf::APACHE_SESSIONS_TMPDIR;
my $LockDirectory   = My::Conf::APACHE_SESSIONS_LOCKDIR;
 
$Directory=XX_GR_XX$Directory.XX_GR_XX; #e.g.
  '/path/to/dir/'
$LockDirectory=XX_GR_XX$LockDirectory.XX_GR_XX;  #e.g.
  '/path/to/dir/'
 
if ($Directory =~ /^XX_GR_XX(.*)XX_GR_XX$/)
{
  $Directory = $1; # $data now untainted
}
else
{
  die Bad Tainted data in $Directory;# log this somewhere
}
 
if ($LockDirectory =~ /^XX_GR_XX(.*)XX_GR_XX$/)
{
  $LockDirectory = $1; # $data now untainted
}
else
{
  die Bad Tainted data in $LockDirectory;# log this
somewhere
}
 
#Load an existing session
   eval
{
  tie %session, 'Apache::Session::File',$session_id,
  {
Directory = Bficient::Conf::APACHE_SESSIONS_TMPDIR,
LockDirectory   =
Bficient::Conf::APACHE_SESSIONS_LOCKDIR,
  };
};
if ($@)
{
 die $self-{lh}-maketext(Couldn't Load Apache::Session -
\[_1]\
  For '\[_2]\',$@,$self-UserName);
}
 
print STDERR Just about to unlink\n;
tied(%session)-delete;
return 1;
  }

[error] Insecure dependency in unlink while running with -T switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106

2003-02-27 Thread Martin Moss 
All,
Can Anybody see what I'm doing wrong here?

I have the following error :-
[error] Insecure dependency in unlink while running with -T switch at
/usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106.

When I run the following subroutine:-

sub delete_session
{
  my $self=shift;
  my $session_id=shift;

  if ($session_id =~ /^(\w\w*)$/)
  {
$session_id = $1; # $data now untainted
  }
  else
  {
die Bad Tainted data in $session_id;# log this somewhere
  }

  die $self-{lh}-maketext(No Session_id given) unless ($session_id);

  my $t=time;
  my %session;

  my $Directory = My::Conf::APACHE_SESSIONS_TMPDIR;
  my $LockDirectory   = My::Conf::APACHE_SESSIONS_LOCKDIR;

  $Directory=XX_GR_XX$Directory.XX_GR_XX; #e.g.
'/path/to/dir/'
  $LockDirectory=XX_GR_XX$LockDirectory.XX_GR_XX;  #e.g.
'/path/to/dir/'

  if ($Directory =~ /^XX_GR_XX(.*)XX_GR_XX$/)
  {
$Directory = $1; # $data now untainted
  }
  else
  {
die Bad Tainted data in $Directory;# log this somewhere
  }

  if ($LockDirectory =~ /^XX_GR_XX(.*)XX_GR_XX$/)
  {
$LockDirectory = $1; # $data now untainted
  }
  else
  {
die Bad Tainted data in $LockDirectory;# log this somewhere
  }

  #Load an existing session
 eval
  {
tie %session, 'Apache::Session::File',$session_id,
{
  Directory = Bficient::Conf::APACHE_SESSIONS_TMPDIR,
  LockDirectory   = Bficient::Conf::APACHE_SESSIONS_LOCKDIR,
};
  };
  if ($@)
  {
   die $self-{lh}-maketext(Couldn't Load Apache::Session - \[_1]\
For '\[_2]\',$@,$self-UserName);
  }

  print STDERR Just about to unlink\n;
  tied(%session)-delete;
  return 1;
}

Re: [error] Insecure dependency in unlink while running with -T switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106

2003-02-27 Thread Cees Hek 
Quoting Martin Moss [EMAIL PROTECTED]:

 All,
 Can Anybody see what I'm doing wrong here?
 
 I have the following error :-
 [error] Insecure dependency in unlink while running with -T switch at
 /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106.

  The problem is not with your code, it is that Apache::Session::File does
not work in Taint mode.  Apache::Session::Store::File gets the session ID from a
file (which means session_is is tainted), and then uses the tainted session_id
to delete a file (hence the unlink error).  

  A quick fix for this is for you to untaint the session ID yourself after
the session has been unserialized. Put the following two lines right after you
tie the session:

$session{_session_id} =~ /^([a-zA-Z0-9]+)$/;
$session{_session_id} = $1;

  This probably should be fixed in Apache::Session itself as I am sure other
people will run into it.

  By the way, you really shouldn't be using Apache::Session::File anyway for
performance reasons. At least use Apache::Session::DB_File which most likely
doesn't suffer from this taint problem and will be much quicker.

Cees



 
 When I run the following subroutine:-
 
 sub delete_session
 {
   my $self=shift;
   my $session_id=shift;
 
   if ($session_id =~ /^(\w\w*)$/)
   {
 $session_id = $1; # $data now untainted
   }
   else
   {
 die Bad Tainted data in $session_id;# log this somewhere
   }
 
   die $self-{lh}-maketext(No Session_id given) unless ($session_id);
 
   my $t=time;
   my %session;
 
   my $Directory = My::Conf::APACHE_SESSIONS_TMPDIR;
   my $LockDirectory   = My::Conf::APACHE_SESSIONS_LOCKDIR;
 
   $Directory=XX_GR_XX$Directory.XX_GR_XX; #e.g.
 '/path/to/dir/'
   $LockDirectory=XX_GR_XX$LockDirectory.XX_GR_XX;  #e.g.
 '/path/to/dir/'
 
   if ($Directory =~ /^XX_GR_XX(.*)XX_GR_XX$/)
   {
 $Directory = $1; # $data now untainted
   }
   else
   {
 die Bad Tainted data in $Directory;# log this somewhere
   }
 
   if ($LockDirectory =~ /^XX_GR_XX(.*)XX_GR_XX$/)
   {
 $LockDirectory = $1; # $data now untainted
   }
   else
   {
 die Bad Tainted data in $LockDirectory;# log this somewhere
   }
 
   #Load an existing session
  eval
   {
 tie %session, 'Apache::Session::File',$session_id,
 {
   Directory = Bficient::Conf::APACHE_SESSIONS_TMPDIR,
   LockDirectory   = Bficient::Conf::APACHE_SESSIONS_LOCKDIR,
 };
   };
   if ($@)
   {
die $self-{lh}-maketext(Couldn't Load Apache::Session - \[_1]\
 For '\[_2]\',$@,$self-UserName);
   }
 
   print STDERR Just about to unlink\n;
   tied(%session)-delete;
   return 1;
 }