Is Apache::Session::DB_type Faster than Apache::Session::File? I already use a lot of DB connections and I used Apache::Session::File to reduce this,
Marty ----- Original Message ----- From: "Cees Hek" <[EMAIL PROTECTED]> To: "Martin Moss" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, February 28, 2003 5:39 AM Subject: Re: [error] Insecure dependency in unlink while running with -T switch at /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106 > Quoting Martin Moss <[EMAIL PROTECTED]>: > > > All, > > Can Anybody see what I'm doing wrong here? > > > > I have the following error :- > > [error] Insecure dependency in unlink while running with -T switch at > > /usr/lib/perl5/site_perl/5.6.0/Apache/Session/Store/File.pm line 106. > > The problem is not with your code, it is that Apache::Session::File does > not work in Taint mode. Apache::Session::Store::File gets the session ID from a > file (which means session_is is tainted), and then uses the tainted session_id > to delete a file (hence the unlink error). > > A quick fix for this is for you to untaint the session ID yourself after > the session has been unserialized. Put the following two lines right after you > tie the session: > > $session{_session_id} =~ /^([a-zA-Z0-9]+)$/; > $session{_session_id} = $1; > > This probably should be fixed in Apache::Session itself as I am sure other > people will run into it. > > By the way, you really shouldn't be using Apache::Session::File anyway for > performance reasons. At least use Apache::Session::DB_File which most likely > doesn't suffer from this taint problem and will be much quicker. > > Cees > > > > > > > When I run the following subroutine:- > > > > sub delete_session > > { > > my $self=shift; > > my $session_id=shift; > > > > if ($session_id =~ /^(\w\w*)$/) > > { > > $session_id = $1; # $data now untainted > > } > > else > > { > > die "Bad Tainted data in $session_id"; # log this somewhere > > } > > > > die $self->{lh}->maketext("No Session_id given") unless ($session_id); > > > > my $t=time; > > my %session; > > > > my $Directory = My::Conf::APACHE_SESSIONS_TMPDIR; > > my $LockDirectory = My::Conf::APACHE_SESSIONS_LOCKDIR; > > > > $Directory="XX_GRRRRR_XX$Directory"."XX_GRRRRR_XX"; #e.g. > > '/path/to/dir/' > > $LockDirectory="XX_GRRRRR_XX$LockDirectory"."XX_GRRRRR_XX"; #e.g. > > '/path/to/dir/' > > > > if ($Directory =~ /^XX_GRRRRR_XX(.*)XX_GRRRRR_XX$/) > > { > > $Directory = $1; # $data now untainted > > } > > else > > { > > die "Bad Tainted data in $Directory"; # log this somewhere > > } > > > > if ($LockDirectory =~ /^XX_GRRRRR_XX(.*)XX_GRRRRR_XX$/) > > { > > $LockDirectory = $1; # $data now untainted > > } > > else > > { > > die "Bad Tainted data in $LockDirectory"; # log this somewhere > > } > > > > #Load an existing session > > eval > > { > > tie %session, 'Apache::Session::File',$session_id, > > { > > Directory => Bficient::Conf::APACHE_SESSIONS_TMPDIR, > > LockDirectory => Bficient::Conf::APACHE_SESSIONS_LOCKDIR, > > }; > > }; > > if ($@) > > { > > die $self->{lh}->maketext("Couldn't Load Apache::Session - \"[_1]\" > > For '\"[_2]\"'",$@,$self->UserName); > > } > > > > print STDERR "Just about to unlink\n"; > > tied(%session)->delete; > > return 1; > > } > > > > > > >