that could be a potential drawback to this module when using user-supplied strings.
Technically, that's true. However ISTM that it's much the same as saying that DBI is vulnerable by design because putting user-supplied strings into a do() or prepare() call could result in SQL injection. But that's OK because nobody in their right mind would write code which passed unvalidated user-supplied data to such methods. And the same is true for Module::Load. Perhaps moreso because in the latter's case it is easily blocked by taint mode:
$ cat tm.pl
#!/usr/bin/perl -T
use strict;
use warnings;
use Module::Load;
my $garbage = shift @ARGV;
load $garbage;
print "This is fine.\n";
$ ./tm.pl foo
Insecure dependency in require while running with -T switch at /usr/sh
+are/perl5/vendor_perl/Module/Load.pm line 77.
Insecure dependency in require while running with -T switch at /usr/sh
+are/perl5/vendor_perl/Module/Load.pm line 77.
$
YMMV but I'm perfectly happy to carry on using it in a secure fashion. |