Re: [error] Insecure dependency in unlink while running with -T switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106

Is Apache::Session::DB_type Faster than Apache::Session::File?

I already use a lot of DB connections and I used Apache::Session::File to
reduce this,

Marty
----- Original Message -----
From: "Cees Hek" <cees@xxxxxxxxxxxxxxxx>
To: "Martin Moss" <martin_moss@xxxxxxxxxxxxxx>
Cc: <modperl@xxxxxxxxxxxxxxx>
Sent: Friday, February 28, 2003 5:39 AM
Subject: Re: [error] Insecure dependency in unlink while running with -T
switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line
106


> Quoting Martin Moss <Martin_moss@xxxxxxxxxxxxxx>:
>
> > All,
> > Can Anybody see what I'm doing wrong here?
> >
> > I have the following error :-
> > [error] Insecure dependency in unlink while running with -T switch at
> > /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106.
>
>       The problem is not with your code, it is that Apache::Session::File
does
> not work in Taint mode.  Apache::Session::Store::File gets the session ID
from a
> file (which means session_is is tainted), and then uses the tainted
session_id
> to delete a file (hence the unlink error).
>
>       A quick fix for this is for you to untaint the session ID yourself
after
> the session has been unserialized. Put the following two lines right after
you
> tie the session:
>
> $session{_session_id} =~ /^([a-zA-Z0-9]+)$/;
> $session{_session_id} = $1;
>
>       This probably should be fixed in Apache::Session itself as I am sure
other
> people will run into it.
>
>       By the way, you really shouldn't be using Apache::Session::File
anyway for
> performance reasons. At least use Apache::Session::DB_File which most
likely
> doesn't suffer from this taint problem and will be much quicker.
>
> Cees
>
>
>
> >
> > When I run the following subroutine:-
> >
> > sub delete_session
> > {
> >   my $self=shift;
> >   my $session_id=shift;
> >
> >   if ($session_id =~ /^(\w\w*)$/)
> >   {
> >     $session_id = $1;                     # $data now untainted
> >   }
> >   else
> >   {
> >     die "Bad Tainted data in $session_id";        # log this somewhere
> >   }
> >
> >   die $self->{lh}->maketext("No Session_id given") unless ($session_id);
> >
> >   my $t=time;
> >   my %session;
> >
> >   my $Directory = My::Conf::APACHE_SESSIONS_TMPDIR;
> >   my $LockDirectory   = My::Conf::APACHE_SESSIONS_LOCKDIR;
> >
> >   $Directory="XX_GRRRRR_XX$Directory"."XX_GRRRRR_XX";     #e.g.
> > '/path/to/dir/'
> >   $LockDirectory="XX_GRRRRR_XX$LockDirectory"."XX_GRRRRR_XX";  #e.g.
> > '/path/to/dir/'
> >
> >   if ($Directory =~ /^XX_GRRRRR_XX(.*)XX_GRRRRR_XX$/)
> >   {
> >     $Directory = $1;                     # $data now untainted
> >   }
> >   else
> >   {
> >     die "Bad Tainted data in $Directory";        # log this somewhere
> >   }
> >
> >   if ($LockDirectory =~ /^XX_GRRRRR_XX(.*)XX_GRRRRR_XX$/)
> >   {
> >     $LockDirectory = $1;                     # $data now untainted
> >   }
> >   else
> >   {
> >     die "Bad Tainted data in $LockDirectory";        # log this
somewhere
> >   }
> >
> >   #Load an existing session
> >  eval
> >   {
> >     tie %session, 'Apache::Session::File',$session_id,
> >             {
> >               Directory => Bficient::Conf::APACHE_SESSIONS_TMPDIR,
> >               LockDirectory   =>
Bficient::Conf::APACHE_SESSIONS_LOCKDIR,
> >             };
> >   };
> >   if ($@)
> >   {
> >        die $self->{lh}->maketext("Couldn't Load Apache::Session -
\"[_1]\"
> > For '\"[_2]\"'",$@,$self->UserName);
> >   }
> >
> >   print STDERR "Just about to unlink\n";
> >   tied(%session)->delete;
> >   return 1;
> > }
> >
> >
>
>
>