Skip Menu |
 

This queue is for tickets about the Apache-Session CPAN distribution.

Report information
The Basics
Id: 38933
Status: resolved
Priority: 0/
Queue: Apache-Session

People
Owner: Nobody in particular
Requestors: MARKLE [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: 1.88



Subject: Apache::Session::File should detaint session id to run in taint mode
Download (untitled) / with headers
text/plain 459b
You can't use Apache::Session::File in taint mode. Deleting the session does not work, because even if you untaint your cookie value when tying the session, it gets the session id internally from {_session_id} and since this is input from a file, it cannot be used in unlink. ($id) = $id =~ m{ \A ([a-z0-9]+) \z }mxs; Looks like someone else ran into this problem and described it here: http://www.mail-archive.com/modperl@apache.org/msg33173.html
Download (untitled) / with headers
text/plain 408b
Срд. Сен. 03 02:12:03 2008, MARKLE писал: Show quoted text
> You can't use Apache::Session::File in taint mode. Deleting the session > does not work, because even if you untaint your cookie value when tying > the session, it gets the session id internally from {_session_id} and > since this is input from a file, it cannot be used in unlink.
Please test version 1.88. -- Alexandr Ciornii, http://chorny.net


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.