Skip Menu |

This queue is for tickets about the CGI-Session CPAN distribution.

Report information
The Basics
Id: 18873
Status: resolved
Priority: 0/
Queue: CGI-Session

People
Owner: Nobody in particular
Requestors: robert [...] interactive.co.uk
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in:
  • 4.09
  • 4.13
Fixed in: (no value)



Subject: Doesn't work in taint mode
Just installed TWiki, and hit taint mode errors from the eval "require $_" at line 650 in sub load in Session.pm First access, taking the defaults for serializer, driver and ID. Perl is 5.6.0 (yeah, it's old:-) on linux (redhat 7.2) Replacing... for ( @pms ) { eval "require $_"; With my ($pm); for $pm ( @pms ) { $pm =~ /(.*)/; $pm = $1; eval "require $pm"; fixes the problem (albeit rather sluttishly!).
From: mleblanc [...] cpan.org
On Sat Apr 22 09:17:12 2006, guest wrote: Show quoted text
> Just installed TWiki, and hit taint mode errors from the > eval "require $_" at line 650 in sub load in Session.pm > > First access, taking the defaults for serializer, driver and ID. > > Perl is 5.6.0 (yeah, it's old:-) on linux (redhat 7.2) > > Replacing... > > for ( @pms ) { > eval "require $_"; > > With > > my ($pm); > for $pm ( @pms ) { > $pm =~ /(.*)/; > $pm = $1; > eval "require $pm"; > > fixes the problem (albeit rather sluttishly!). > >
Untainting driver, serializer, and id generator names before attempting to load them is currently in SVN and should be available for next release (4.14).