[Maypole] Taint mode

From: Spencer Ogden (spencer at spencerogden.com)
Date: Tue Jan 11 2005 - 05:42:39 GMT


I haven't seen a mention of this on the list yet, so I thought I would
throw it out there.

When I first set up Maypole under CGI::Maypole, my initial thought, like
a good little boy, was to start my beer.cgi with "#!/usr/bin/perl -T".
And soon found out Maypole does not like taint mode. The most basic
problem is that the path is never untainted, causing some calls in
Class::DBI::AsForm to fail when there $self, which comes straight from
the path, is tainted.

I'm not sure if this is worth fixing, and I'm sure there are are many
other issues I haven't hit yet, but I think the right place to fix this
is in Maypole::parse_path. Here's my thought:

--- /usr/lib/perl5/site_perl/5.8.5/Maypole.pm 2004-12-25
03:07:50.000000000 +0000
+++ Maypole.pm 2005-01-11 05:38:09.907182616 +0000
@@ -187,4 +187,7 @@
     my $self = shift;
     $self->{path} ||= "frontpage";
+ $self->{path} =~ /((\w\/?)+)/;
+ $self->{path} = $1;
+
     my @pi = split /\//, $self->{path};
     shift @pi while @pi and !$pi[0];

Regards,

Spencer Ogden

_______________________________________________
maypole mailing list
maypole at lists.netthink.co.uk
http://lists.netthink.co.uk/listinfo/maypole



This archive was generated by hypermail 2.1.3 : Thu Feb 24 2005 - 22:25:57 GMT