On Mon, 26 Mar 2001, Christopher L. Everett,,, wrote:
> Apache::Session::MySQL won't save session state.
> Apache::Session::File returns the following error:
>
> Insecure dependency in open while running with -T switch at
> /usr/local/lib/perl5/site_perl/5.6.0/Apache/Session/Lock/File.pm
> line 40.
Well, line 40 of Apache/Session/Lock/File.pm contains the following bit of
code:
open($fh,"+>".$LockDirectory."/Apache-Session-".$session->{data}->{_session_id}.".lock")
|| die $!;D
So perl is telling you that one of the variables being used in the open
command is Tainted (you are running perl in Taint mode with the -T
switch turned on). I'm guessing it is probably
$session->{data}->{_session_id}, which is really just the $session_id
variable that you pulled out of a Cookie in your code below (and
cookies are automatically tainted since it comes from the user). You will
have to untaint the $session_id variable before you pass it to
Apache::Session, and this error message should go away. See the perl
manpages on how to untaint variables...
Cees
> here's the code in question:
>
> sub put_or_del_session {
> my ($self, $r, %session) = @_;
>
> if ($self->command eq 'logout') {
> tied{%session}->delete;
> my $cookie = Apache::Cookie->new( $r,
> -name => 'SessionID',
> -path => $self->{uri},
> -domain => $self->{config}->{TicketServerName},
> -expires => '-10m',
> -value => '' );
> $cookie->bake;
> } elsif (($self->page eq 'frame' && $self->command eq 'make') or
> $self->page eq 'action') {
> $session{state} = $self->{state};
> $session{timestamp} = time;
> }
> $r->log_error("put_or_del_session: session_id is $self->{session_id}");
> $r->log_error("put_or_del_session: state is " . Dumper $session{state});
> undef %session;
> }
>
> sub get_session {
> my ($self, $r) = @_;
>
> my %session;
>
> my $cookie_str = $r->header_in('Cookie');
> my %cookies = $cookie_str eq '' ? ( ) :
> Apache::Cookie->parse($cookie_str);
> if (exists $cookies{SessionID}) {
> my $session_id = $cookies{SessionID}->value;
> # tie %session, 'Apache::Session::MySQL', $session_id,
> # {
> # DataSource => $self->{config}->{Session_DB},
> # UserName => $self->{config}->{Search_DB_User},
> # Password => $self->{config}->{Search_DB_Password},
> # LockDataSource => $self->{config}->{Session_DB},
> # LockUserName => $self->{config}->{Search_DB_User},
> # LockPassword => $self->{config}->{Search_DB_Password},
> # };
> tie %session, 'Apache::Session::File', $session_id,
> {
> Directory => '/tmp/apache/session',
> LockDirectory => '/tmp/apache/session/lock'
> };
> } else {
> # tie %session, 'Apache::Session::MySQL', undef,
> # {
> # DataSource => $self->{config}->{Session_DB},
> # UserName => $self->{config}->{Search_DB_User},
> # Password => $self->{config}->{Search_DB_Password},
> # LockDataSource => $self->{config}->{Session_DB},
> # LockUserName => $self->{config}->{Search_DB_User},
> # LockPassword => $self->{config}->{Search_DB_Password},
> # };
> tie %session, 'Apache::Session::File', undef,
> {
> Directory => '/tmp/apache/session',
> LockDirectory => '/tmp/apache/session/lock'
> };
> $session{state} = {
> account => {},
> command => '',
> step => '',
> order => {}
> };
> my $cookie = Apache::Cookie->new( $r,
> -name => 'SessionID',
> -path => $self->{uri},
> -domain => 'www.physemp.com',
> -value => $session{_session_id} );
> $cookie->bake;
> }
> $self->{state} = $session{state};
> $self->{session_id} = $session{_session_id};
> $r->log_error("get_session: session_id is $self->{session_id}");
> $r->log_error('get_session: $session{state} is ' . Dumper
> $session{state});
> $r->log_error('get_session: $self->{state} is ' . Dumper $self->{state});
> return %session;
> }
>
>
--
Cees Hek
SiteSuite Corporation
[EMAIL PROTECTED]
