Re: CGI::Session, taint mode, and tainted session file input data

Couldn't you untaint the string with something like

$tainted =~ /^(.*)$/;
my $untainted = $1;
[download]

Mind you, I'm not necessarily proposing this; I'm just trying to figure out whether you already tried this and it did not appease taint, or it did, but you want some better approach.

the lowliest monk

Comment on Re: CGI::Session, taint mode, and tainted session file input data Download Code

Replies are listed 'Best First'.
Re^2: CGI::Session, taint mode, and tainted session file input data by shenme (Priest) on Apr 25, 2005 at 02:31 UTC
That would be the way to do it, with the realization that I'm trusting that no one has diddled with the session data file, presumably because I've taken other safeguards to prevent that from happening. No the problem is that CGI::Session is managing both the session data retrieval step (using CGI::Session::File from the 'driver:File' option) and executing the de-serialization step (using Storable because of the 'serializer:Storable' option). There doesn't seem to be a good way to insert untainting code between those two steps. Or, it seems that way. But since someone _must_ have figured this out before, I'm hoping... Meanwhile I've turned taint mode off again (this time on purpose) but know that I have to turn it back on real-soon-now. Also, I checked the beta 4.x versions of CGI::Session, and while that code is 'better' in that the retrieve() call doesn't directly call the thaw() method, the C::S code still doesn't seem to make it any easier to add code between the two calls.	[reply]
Re^3: CGI::Session, taint mode, and tainted session file input data by tlm (Prior) on Apr 25, 2005 at 03:03 UTC
Could you subclass Storable, and override the deserialization methods so that detainting is done before calling the SUPER method? (Of course, this assumes that you can specify your subclass as an alternative serializer module.) the lowliest monk	[reply]