Bug #18873 for CGI-Session: Doesn't work in taint mode

Sat Apr 22 09:17:12 2006 Guest - Ticket created

Subject:

Doesn't work in taint mode

Just installed TWiki, and hit taint mode errors from the eval "require $_" at line 650 in sub load in Session.pm First access, taking the defaults for serializer, driver and ID. Perl is 5.6.0 (yeah, it's old:-) on linux (redhat 7.2) Replacing... for ( @pms ) { eval "require $_"; With my ($pm); for $pm ( @pms ) { $pm =~ /(.*)/; $pm = $1; eval "require $pm"; fixes the problem (albeit rather sluttishly!).

Wed Jun 07 17:04:42 2006 Guest - Correspondence added

From:

mleblanc [...] cpan.org

On Sat Apr 22 09:17:12 2006, guest wrote: Show quoted text

> Just installed TWiki, and hit taint mode errors from the > eval "require $_" at line 650 in sub load in Session.pm > > First access, taking the defaults for serializer, driver and ID. > > Perl is 5.6.0 (yeah, it's old:-) on linux (redhat 7.2) > > Replacing... > > for ( @pms ) { > eval "require $_"; > > With > > my ($pm); > for $pm ( @pms ) { > $pm =~ /(.*)/; > $pm = $1; > eval "require $pm"; > > fixes the problem (albeit rather sluttishly!). > >

Untainting driver, serializer, and id generator names before attempting to load them is currently in SVN and should be available for next release (4.14).

Wed Jun 07 17:04:42 2006 The RT System itself - Status changed from 'new' to 'open'

Sat Jun 10 20:15:04 2006 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'