That would be the way to do it, with the realization that I'm trusting that no one has diddled with the session data file, presumably because I've taken other safeguards to prevent that from happening.

No the problem is that CGI::Session is managing both the session data retrieval step (using CGI::Session::File from the 'driver:File' option) and executing the de-serialization step (using Storable because of the 'serializer:Storable' option). There doesn't seem to be a good way to insert untainting code between those two steps.

Or, it seems that way. But since someone _must_ have figured this out before, I'm hoping... Meanwhile I've turned taint mode off again (this time on purpose) but know that I have to turn it back on real-soon-now.

Also, I checked the beta 4.x versions of CGI::Session, and while that code is 'better' in that the retrieve() call doesn't directly call the thaw() method, the C::S code still doesn't seem to make it any easier to add code between the two calls.

In reply to Re^2: CGI::Session, taint mode, and tainted session file input data by shenme
in thread CGI::Session, taint mode, and tainted session file input data by shenme

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.