Upon realizing that I had _not_ had taint mode on for awhile in a CGI app I was developing, I turned it back on and everything blew up. (as advertised, after all)
But as I resolved issues I would see data items pop up as tainted that I 'knew' were untainted when I created them.
As I processed CGI forms I would validate and untaint data items, and then accumulate them in my session hash. Later in other CGI invocations I'd try to use those bits of information and blow up with taint errors.
After putting in some debug displays I realized I was simply hitting the taint mode restriction on input data - anything read from a data file is tainted. (My CGI::Session options were 'driver:File;serializer:Storable' and so session data is stored in files)
I'm really puzzled as I can't find previous mentions of this issue, and can't believe the combination of CGI::Session session files and taint mode hasn't been done. I mean, gosh, doesn't everybody use taint mode?
Has anybody dealt with this problem? That is, somehow untainting the session data string read from a file (or database record for that matter), before CGI::Session then uses thaw() to recreate the session hash?