| Subject: | Running with taint mode |
Hi Jos,
Great module. I've started using it for my web apps thanks to the CGI::Application plugin that Mark Stosberg wrote. Unfortunately, I've discovered that it will throw taint errors due to the eval of the input file.
It'd be nice to include a way to support taint mode even if it's an ugly hack that simply untaints the entire input such as:
m/^(.*)$/s;
This would make the perl_eval subroutine look something like the following:
sub eval_perl { ($_[0]) = $_[0] =~ m/^(.*)$/s if $Untaint; do $_[0]; }
Notice that I added a new Untaint global. I've attached a patch which applies this new behavior (unfortunately, it's against v0.10 but hopefully that shouldn't matter).
Considering all the references to enabling taint when writing CGI applications, it'd be great to see this support added to your module.
William
11c11
< use vars qw[$VERSION $DisablePerl];
---
> use vars qw[$VERSION $DisablePerl $Untaint];
14a15
> $Untaint = 0;
152c153
< sub eval_perl { do $_[0]; }
---
> sub eval_perl { ($_[0]) = $_[0] =~ m/^(.*)$/s if $Untaint; do $_[0]; }
326a328,330
> When using the perl format, your configuration file will be eval'd. This will
> cause taint errors. To avoid these warnings, set C<$Config::Auto::Untaint = 1>.
>