I'm developing a site that uses cookies to identify users. Initially, to generate the ID that I bake up each cookie with, I use this commonly seen code:
sub unique_id() {
# Use Apache's mod_unique_id if available
return $ENV{UNIQUE_ID} if exists $ENV{UNIQUE_ID};
require Digest::MD5;
my $md5 = new Digest::MD5;
my $remote = $ENV{REMOTE_ADDR} . $ENV{REMOTE_PORT};
# ** Note ** This is intended to be unique, not unguessable
my $id = $md5->md5_base64(time, $$, $remote);
$id =~ tr|+/=|-_.|; # make non-word characters URL friendly
return $id;
}
Currently, I'm trying this cheap Camel ripoff to untaint a cookie that was given to me from the client (ie. I've already generated the cookie for this client, so they pass it to my program, therefore making it tainted):
sub untaint_cart_id($) {
my $old_id = shift;
my $cart_id;
#print "$old_id<BR>";
if ($old_id =~ /^([-\@\w.]+)$/) {
$cart_id = $1;
}
else {
die("Bad Cart ID");
}
#print "$cart_id<BR>";
return $cart_id;
}
which dies often (in fact, anytime the cookie's ID doesn't contain a mix of -'s, @'s and word chars).
So how can I untaint the cookie when the user returns to the site? I obviously would rather not pull any /^(.*)$/ ugliness, because that doesn't get me anywhere.