Subject: | Insecure dependency (taint mode) with file & storable |
Taint issue with driver:file;serializer:storable.
Problem is that storable returns tainted data; file::store constructs
the filename using _SESSION_ID, which is tainted. Result is that
sysopen fails.
Test case:
#!/usr/bin/perl -T
use strict;
use warnings;
use CGI::Session;
use File::Spec;
print $CGI::Session::VERSION, "\n";
my $session = CGI::Session->new( "driver:file;serializer:storable",
undef,
{Directory => File::Spec->tmpdir } ) or
die CGI::Session->errstr();
my $sid = $session->id;
$session->flush;
print "$sid\n";
$session = CGI::Session->load( "driver:file;serializer:storable", $sid,
{Directory => File::Spec->tmpdir } ) or
die CGI::Session->errstr();
$session->param('a', 1 );
$session->flush;
./taint
4.48
5036c5c476f14f8c1adfb0b31947250c
Insecure dependency in sysopen while running with -T switch
at /usr/local/share/perl5/CGI/Session/Driver/file.pm line 107.
Patch:
--- /usr/local/share/perl5/CGI/Session/Driver/file.pm~ 2012-10-22
20:23:11.357734505 -0400
+++ /usr/local/share/perl5/CGI/Session/Driver/file.pm 2012-10-22
21:53:23.484981534 -0400
@@ -45,15 +45,16 @@
sub _file {
my ($self,$sid) = @_;
my $id = $sid;
$id =~ s|\\|/|g;
- if ($id =~ m|/|)
+ if ($id =~ m|/|)
{
return $self->set_error( "_file(): Session ids cannot contain
\\ or / chars: $sid" );
}
-
+ $sid =~ /^(.*)$/;
+ $sid = $1;
return File::Spec->catfile($self->{Directory}, sprintf( $FileName,
$sid ));
}
sub retrieve {
my $self = shift;