Is Apache::Session::DB_type Faster than Apache::Session::File?
I already use a lot of DB connections and I used Apache::Session::File to
reduce this,
Marty
----- Original Message -----
From: "Cees Hek" <[EMAIL PROTECTED]>
To: "Martin Moss" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, February 28, 2003 5:39 AM
Subject: Re: [error] Insecure dependency in unlink while running with -T
switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line
106
> Quoting Martin Moss <[EMAIL PROTECTED]>:
>
> > All,
> > Can Anybody see what I'm doing wrong here?
> >
> > I have the following error :-
> > [error] Insecure dependency in unlink while running with -T switch at
> > /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106.
>
> The problem is not with your code, it is that Apache::Session::File
does
> not work in Taint mode. Apache::Session::Store::File gets the session ID
from a
> file (which means session_is is tainted), and then uses the tainted
session_id
> to delete a file (hence the unlink error).
>
> A quick fix for this is for you to untaint the session ID yourself
after
> the session has been unserialized. Put the following two lines right after
you
> tie the session:
>
> $session{_session_id} =~ /^([a-zA-Z0-9]+)$/;
> $session{_session_id} = $1;
>
> This probably should be fixed in Apache::Session itself as I am sure
other
> people will run into it.
>
> By the way, you really shouldn't be using Apache::Session::File
anyway for
> performance reasons. At least use Apache::Session::DB_File which most
likely
> doesn't suffer from this taint problem and will be much quicker.
>
> Cees
>
>
>
> >
> > When I run the following subroutine:-
> >
> > sub delete_session
> > {
> > my $self=shift;
> > my $session_id=shift;
> >
> > if ($session_id =~ /^(\w\w*)$/)
> > {
> > $session_id = $1; # $data now untainted
> > }
> > else
> > {
> > die "Bad Tainted data in $session_id"; # log this somewhere
> > }
> >
> > die $self->{lh}->maketext("No Session_id given") unless ($session_id);
> >
> > my $t=time;
> > my %session;
> >
> > my $Directory = My::Conf::APACHE_SESSIONS_TMPDIR;
> > my $LockDirectory = My::Conf::APACHE_SESSIONS_LOCKDIR;
> >
> > $Directory="XX_GRRRRR_XX$Directory"."XX_GRRRRR_XX"; #e.g.
> > '/path/to/dir/'
> > $LockDirectory="XX_GRRRRR_XX$LockDirectory"."XX_GRRRRR_XX"; #e.g.
> > '/path/to/dir/'
> >
> > if ($Directory =~ /^XX_GRRRRR_XX(.*)XX_GRRRRR_XX$/)
> > {
> > $Directory = $1; # $data now untainted
> > }
> > else
> > {
> > die "Bad Tainted data in $Directory"; # log this somewhere
> > }
> >
> > if ($LockDirectory =~ /^XX_GRRRRR_XX(.*)XX_GRRRRR_XX$/)
> > {
> > $LockDirectory = $1; # $data now untainted
> > }
> > else
> > {
> > die "Bad Tainted data in $LockDirectory"; # log this
somewhere
> > }
> >
> > #Load an existing session
> > eval
> > {
> > tie %session, 'Apache::Session::File',$session_id,
> > {
> > Directory => Bficient::Conf::APACHE_SESSIONS_TMPDIR,
> > LockDirectory =>
Bficient::Conf::APACHE_SESSIONS_LOCKDIR,
> > };
> > };
> > if ($@)
> > {
> > die $self->{lh}->maketext("Couldn't Load Apache::Session -
\"[_1]\"
> > For '\"[_2]\"'",$@,$self->UserName);
> > }
> >
> > print STDERR "Just about to unlink\n";
> > tied(%session)->delete;
> > return 1;
> > }
> >
> >
>
>
>
