While looking into why I didn't see bug 155700, it turns out that perl > 5.6.0 has broken |use taint 're'|, which we use to avoid tainting . I've filed a bug with a test case - see the URL. The workarround is to assign a known-tainted value to $item and $value first, before. The alternate fix is to use split, rather than $1 (like CGI.pm does), or to avoid using $1, and just assign from the result of the m// directly (which appears to avoid triggering this bug) I'll wait to see what the response is before deciding which one to do, but we should do one of them for 2.16.
Dupe submission because of bug 154036. myk, can you apply that patch to bmo, please? *** This bug has been marked as a duplicate of 155793 ***
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.