Tommy has asked for the wisdom of the Perl Monks concerning the following question:
I'm worried about $self->can( $user_input ) and what it might allow. Should I maintain a registry of allowed "actions" to which my dispatcher is allowed to route? Or is this good enough? I'm only taking input on AES-encrypted sockets from trusted sources, but in practice... it seems like this could allow a user to call _build_dispatcher for example.
package Foo; use namespace::autoclean; use Moose; has dispatcher => ( is => 'ro', lazy => 1, builder => '_build_dispatch +er' ); # bare bones dispatcher sub _build_dispatcher { my $self = shift; return sub { my ( $action, @args ) = @_; die "I can't do that, Dave" unless $self->can( $action ); $self->$action( @args ); } } # ...Elsewhere, in a class that inherits from Foo: $self->dispatcher->( $action => @params );
I've considered taking queues from Catalyst and using subroutine attributes such that unless a given method has a attribute of :Public ... then I won't allow the call to it. But attributes are ugly right? Hmmmm.
Tommy
A mistake can be valuable or costly, depending on how faithfully you pursue correction
A mistake can be valuable or costly, depending on how faithfully you pursue correction
Back to
Seekers of Perl Wisdom