Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 35367
Status: resolved
Priority: 0/
Queue: CGI
People
Owner: MARKSTOS [...] cpan.org
Requestors: matthiasfrey1 [...] web.de
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)
Attachments
test.fcgi

History Show all quoted text
  Thu Apr 24 04:31:29 2008 matthiasfrey1 [...] web.de - Ticket created
Subject: Parameters are not tainted with CGI::Fast
Hi When executing the attached CGI with the GET Paramter 'param' using CGI::Fast and Taint Mode on the Parameter is not tainted. Perl version: v5.8.8 built for i486-linux-gnu-thread-multi Running on: Linux 2.6.22-14-generic Lighttpd version: 1.4.18
Subject: test.fcgi
Download test.fcgi
application/octet-stream 483b

Message body not shown because it is not plain text.

  Sat Jul 25 22:06:54 2009 MARKSTOS [...] cpan.org - Taken
  Sat Jul 25 22:09:09 2009 MARKSTOS [...] cpan.org - Correspondence added
On Thu Apr 24 04:31:29 2008, Darlin wrote: Show quoted text
> Hi > > When executing the attached CGI with the GET Paramter 'param' using > CGI::Fast and Taint Mode on the Parameter is not tainted. > > > Perl version: v5.8.8 built for i486-linux-gnu-thread-multi > Running on: Linux 2.6.22-14-generic > Lighttpd version: 1.4.18
When I run your test script on the command line with CGI.pm 3.43, I get back the result that "param is tainted", so the bug is not triggered there. Is still triggered for you? If so, have you tested plain Perl with FCGI and lighttpd to see if there untainting is working in this environment outside of CGI.pm? I can't see what CGI::Fast would be doing that accidently untaint data. Mark
  Sat Jul 25 22:09:10 2009 The RT System itself - Status changed from 'new' to 'open'
  Sat Jul 25 22:09:39 2009 MARKSTOS [...] cpan.org - Subject changed from 'Parameters are not tainted with CGI::Fast' to 'Need Confirmation: Parameters are not tainted with CGI::Fast'
  Mon Jan 21 21:26:17 2013 MARKSTOS [...] cpan.org - Correspondence added
Considering resolved, after receiving no confirmation since 2009.
  Mon Jan 21 21:26:18 2013 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'
  Fri May 23 14:28:50 2014 The RT System itself - Queue changed from CGI.pm to CGI