in reply to Re: CGI::Session, taint mode, and tainted session file input data
in thread CGI::Session, taint mode, and tainted session file input data

That would be the way to do it, with the realization that I'm trusting that no one has diddled with the session data file, presumably because I've taken other safeguards to prevent that from happening.

No the problem is that CGI::Session is managing both the session data retrieval step (using CGI::Session::File from the 'driver:File' option) and executing the de-serialization step (using Storable because of the 'serializer:Storable' option). There doesn't seem to be a good way to insert untainting code between those two steps.

Or, it seems that way. But since someone _must_ have figured this out before, I'm hoping... Meanwhile I've turned taint mode off again (this time on purpose) but know that I have to turn it back on real-soon-now.

Also, I checked the beta 4.x versions of CGI::Session, and while that code is 'better' in that the retrieve() call doesn't directly call the thaw() method, the C::S code still doesn't seem to make it any easier to add code between the two calls.

  • Comment on Re^2: CGI::Session, taint mode, and tainted session file input data

Replies are listed 'Best First'.
Re^3: CGI::Session, taint mode, and tainted session file input data
by tlm (Prior) on Apr 25, 2005 at 03:03 UTC

    Could you subclass Storable, and override the deserialization methods so that detainting is done before calling the SUPER method? (Of course, this assumes that you can specify your subclass as an alternative serializer module.)

    the lowliest monk

[reply]

In Section Seekers of Perl Wisdom