Re: [error] Insecure dependency in unlink while running with -T switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106
Is Apache::Session::DB_type Faster than Apache::Session::File? I already use a lot of DB connections and I used Apache::Session::File to reduce this, Marty - Original Message - From: Cees Hek [EMAIL PROTECTED] To: Martin Moss [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, February 28, 2003 5:39 AM Subject: Re: [error] Insecure dependency in unlink while running with -T switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106 Quoting Martin Moss [EMAIL PROTECTED]: All, Can Anybody see what I'm doing wrong here? I have the following error :- [error] Insecure dependency in unlink while running with -T switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106. The problem is not with your code, it is that Apache::Session::File does not work in Taint mode. Apache::Session::Store::File gets the session ID from a file (which means session_is is tainted), and then uses the tainted session_id to delete a file (hence the unlink error). A quick fix for this is for you to untaint the session ID yourself after the session has been unserialized. Put the following two lines right after you tie the session: $session{_session_id} =~ /^([a-zA-Z0-9]+)$/; $session{_session_id} = $1; This probably should be fixed in Apache::Session itself as I am sure other people will run into it. By the way, you really shouldn't be using Apache::Session::File anyway for performance reasons. At least use Apache::Session::DB_File which most likely doesn't suffer from this taint problem and will be much quicker. Cees When I run the following subroutine:- sub delete_session { my $self=shift; my $session_id=shift; if ($session_id =~ /^(\w\w*)$/) { $session_id = $1; # $data now untainted } else { die Bad Tainted data in $session_id;# log this somewhere } die $self-{lh}-maketext(No Session_id given) unless ($session_id); my $t=time; my %session; my $Directory = My::Conf::APACHE_SESSIONS_TMPDIR; my $LockDirectory = My::Conf::APACHE_SESSIONS_LOCKDIR; $Directory=XX_GR_XX$Directory.XX_GR_XX; #e.g. '/path/to/dir/' $LockDirectory=XX_GR_XX$LockDirectory.XX_GR_XX; #e.g. '/path/to/dir/' if ($Directory =~ /^XX_GR_XX(.*)XX_GR_XX$/) { $Directory = $1; # $data now untainted } else { die Bad Tainted data in $Directory;# log this somewhere } if ($LockDirectory =~ /^XX_GR_XX(.*)XX_GR_XX$/) { $LockDirectory = $1; # $data now untainted } else { die Bad Tainted data in $LockDirectory;# log this somewhere } #Load an existing session eval { tie %session, 'Apache::Session::File',$session_id, { Directory = Bficient::Conf::APACHE_SESSIONS_TMPDIR, LockDirectory = Bficient::Conf::APACHE_SESSIONS_LOCKDIR, }; }; if ($@) { die $self-{lh}-maketext(Couldn't Load Apache::Session - \[_1]\ For '\[_2]\',$@,$self-UserName); } print STDERR Just about to unlink\n; tied(%session)-delete; return 1; }
[error] Insecure dependency in unlink while running with -T switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106
All, Can Anybody see what I'm doing wrong here? I have the following error :- [error] Insecure dependency in unlink while running with -T switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106. When I run the following subroutine:- sub delete_session { my $self=shift; my $session_id=shift; if ($session_id =~ /^(\w\w*)$/) { $session_id = $1; # $data now untainted } else { die Bad Tainted data in $session_id;# log this somewhere } die $self-{lh}-maketext(No Session_id given) unless ($session_id); my $t=time; my %session; my $Directory = My::Conf::APACHE_SESSIONS_TMPDIR; my $LockDirectory = My::Conf::APACHE_SESSIONS_LOCKDIR; $Directory=XX_GR_XX$Directory.XX_GR_XX; #e.g. '/path/to/dir/' $LockDirectory=XX_GR_XX$LockDirectory.XX_GR_XX; #e.g. '/path/to/dir/' if ($Directory =~ /^XX_GR_XX(.*)XX_GR_XX$/) { $Directory = $1; # $data now untainted } else { die Bad Tainted data in $Directory;# log this somewhere } if ($LockDirectory =~ /^XX_GR_XX(.*)XX_GR_XX$/) { $LockDirectory = $1; # $data now untainted } else { die Bad Tainted data in $LockDirectory;# log this somewhere } #Load an existing session eval { tie %session, 'Apache::Session::File',$session_id, { Directory = Bficient::Conf::APACHE_SESSIONS_TMPDIR, LockDirectory = Bficient::Conf::APACHE_SESSIONS_LOCKDIR, }; }; if ($@) { die $self-{lh}-maketext(Couldn't Load Apache::Session - \[_1]\ For '\[_2]\',$@,$self-UserName); } print STDERR Just about to unlink\n; tied(%session)-delete; return 1; }
Re: [error] Insecure dependency in unlink while running with -T switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106
Quoting Martin Moss [EMAIL PROTECTED]: All, Can Anybody see what I'm doing wrong here? I have the following error :- [error] Insecure dependency in unlink while running with -T switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106. The problem is not with your code, it is that Apache::Session::File does not work in Taint mode. Apache::Session::Store::File gets the session ID from a file (which means session_is is tainted), and then uses the tainted session_id to delete a file (hence the unlink error). A quick fix for this is for you to untaint the session ID yourself after the session has been unserialized. Put the following two lines right after you tie the session: $session{_session_id} =~ /^([a-zA-Z0-9]+)$/; $session{_session_id} = $1; This probably should be fixed in Apache::Session itself as I am sure other people will run into it. By the way, you really shouldn't be using Apache::Session::File anyway for performance reasons. At least use Apache::Session::DB_File which most likely doesn't suffer from this taint problem and will be much quicker. Cees When I run the following subroutine:- sub delete_session { my $self=shift; my $session_id=shift; if ($session_id =~ /^(\w\w*)$/) { $session_id = $1; # $data now untainted } else { die Bad Tainted data in $session_id;# log this somewhere } die $self-{lh}-maketext(No Session_id given) unless ($session_id); my $t=time; my %session; my $Directory = My::Conf::APACHE_SESSIONS_TMPDIR; my $LockDirectory = My::Conf::APACHE_SESSIONS_LOCKDIR; $Directory=XX_GR_XX$Directory.XX_GR_XX; #e.g. '/path/to/dir/' $LockDirectory=XX_GR_XX$LockDirectory.XX_GR_XX; #e.g. '/path/to/dir/' if ($Directory =~ /^XX_GR_XX(.*)XX_GR_XX$/) { $Directory = $1; # $data now untainted } else { die Bad Tainted data in $Directory;# log this somewhere } if ($LockDirectory =~ /^XX_GR_XX(.*)XX_GR_XX$/) { $LockDirectory = $1; # $data now untainted } else { die Bad Tainted data in $LockDirectory;# log this somewhere } #Load an existing session eval { tie %session, 'Apache::Session::File',$session_id, { Directory = Bficient::Conf::APACHE_SESSIONS_TMPDIR, LockDirectory = Bficient::Conf::APACHE_SESSIONS_LOCKDIR, }; }; if ($@) { die $self-{lh}-maketext(Couldn't Load Apache::Session - \[_1]\ For '\[_2]\',$@,$self-UserName); } print STDERR Just about to unlink\n; tied(%session)-delete; return 1; }