Skip Menu |

This queue is for tickets about the Maypole CPAN distribution.

Report information
The Basics
Id: 15678
Status: resolved
Priority: 0/
Queue: Maypole
People
Owner: TEEJAY [...] cpan.org
Requestors: billb [...] quantumlinux.com
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 2.10
Fixed in: 2.11

History Show all quoted text
  Thu Nov 10 13:25:05 2005 Guest - Ticket created
Subject: Problems with stringify_self and untaint
Although Maypole::Model::CDBI provides a list of required_cols to FromCGI, it does not provide a list of "ignore" cols. Using the attached patch one can bypass untaint for any column (most useful to me for columns which aren't entered via a public interface) using this syntax: Beer::Drinker->config->{donor}{ignore_cols} = [qw/ id secret_beer_recipe /]; Without this patch, an application hang will result for any columns for which an untaint type is not provided. Additionally, if stringify_self is used in a module, the primary key in a create_from_cgi is checked, resulting in a terrible mess, even though the primary key is supposedly "silently skipped" by FromCGI. (The silent part applies, there is no error message.) Symptoms include a resource-hungry apache (under mod_perl) and seg faults. Tested with stock: Maypole 2.10 CDBI::FromCGI 1.00 CGI::Untaint 1.26 Perl 5.8.4 Apache 2.0.54-5, using mod_perl running on Debian Woody (kernel 2.6.8-2-686-smp)
--- /usr/local/src/Maypole-2.10/lib/Maypole/Model/CDBI.pm 2005-07-15 01:18:56.000000000 -0700 +++ CDBI.pm 2005-11-09 21:32:38.002118272 -0800 @@ -116,7 +116,9 @@ eval { $obj = $self->create_from_cgi( $h => - { required => $r->{config}{ $r->{table} }{required_cols} || [], } + { required => $r->{config}{ $r->{table} }{required_cols} || [], + ignore => $r->{config}{ $r->{table} }{ignore_cols} || [], + } ); }; if ($fatal = $@) {
  Wed Dec 21 08:09:49 2005 TEEJAY [...] cpan.org - Taken
  Wed Dec 21 08:10:03 2005 TEEJAY [...] cpan.org - Status changed from 'new' to 'open'
  Wed Dec 21 08:10:03 2005 TEEJAY [...] cpan.org - Severity Normal changed to Important
  Wed Dec 21 08:16:52 2005 TEEJAY [...] cpan.org - Correspondence added
[guest - Thu Nov 10 13:25:05 2005]: Show quoted text
> Although Maypole::Model::CDBI provides a list of required_cols to > FromCGI, it does not provide a list of "ignore" cols. Using the > attached patch one can bypass untaint for any column (most useful > to me for columns which aren't entered via a public interface) > using this syntax: > > Beer::Drinker->config->{donor}{ignore_cols} = [qw/ id > secret_beer_recipe /]; > > Without this patch, an application hang will result for any columns > for which an untaint type is not provided. Additionally, if > stringify_self is used in a module, the primary key in a > create_from_cgi is checked, resulting in a terrible mess, even > though the primary key is supposedly "silently skipped" by FromCGI. > (The silent part applies, there is no error message.) Symptoms > include a resource-hungry apache (under mod_perl) and seg faults. > > > Tested with stock: > > Maypole 2.10 > CDBI::FromCGI 1.00 > CGI::Untaint 1.26 > Perl 5.8.4 > Apache 2.0.54-5, using mod_perl > running on Debian Woody (kernel 2.6.8-2-686-smp)
Reccomended changes applied, modulo 2.11 dev changes in my SVN checkout - should be commited when SVN commit working again and I will then put revision number here. Note to self - document how this works clearer because I forgot and couldn't find it the other night.
  Mon Jan 09 11:07:44 2006 TEEJAY [...] cpan.org - Correspondence added
This bug fixed in SVN 444 (possibly earlier)
  Wed Aug 02 11:17:17 2006 TEEJAY [...] cpan.org - Status changed from 'open' to 'resolved'
  Wed Aug 02 11:17:17 2006 TEEJAY [...] cpan.org - Fixed in 2.11 added