Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Re^3: Use 'use' in foreach

by hippo (Bishop)
on Jul 19, 2017 at 17:43 UTC ( [id://1195500]=note: print w/replies, xml ) Need Help??


in reply to Re^2: Use 'use' in foreach
in thread Use 'use' in foreach

that could be a potential drawback to this module when using user-supplied strings.

Technically, that's true. However ISTM that it's much the same as saying that DBI is vulnerable by design because putting user-supplied strings into a do() or prepare() call could result in SQL injection. But that's OK because nobody in their right mind would write code which passed unvalidated user-supplied data to such methods. And the same is true for Module::Load. Perhaps moreso because in the latter's case it is easily blocked by taint mode:

$ cat tm.pl #!/usr/bin/perl -T use strict; use warnings; use Module::Load; my $garbage = shift @ARGV; load $garbage; print "This is fine.\n"; $ ./tm.pl foo Insecure dependency in require while running with -T switch at /usr/sh +are/perl5/vendor_perl/Module/Load.pm line 77. Insecure dependency in require while running with -T switch at /usr/sh +are/perl5/vendor_perl/Module/Load.pm line 77. $

YMMV but I'm perfectly happy to carry on using it in a secure fashion.

Replies are listed 'Best First'.
Re^4: Use 'use' in foreach
by haukex (Archbishop) on Jul 23, 2017 at 20:53 UTC
    it's much the same as saying that DBI is vulnerable by design because putting user-supplied strings into a do() or prepare() call could result in SQL injection

    Well, yes and no: I'm saying that yes, it's a security issue like code injection, both in that it should be seriously considered and warned about, but also in that if you are aware of the issues and know what you are doing and can use it safely, then fine. But no, it's not exactly like DBI's API, because apparently Module::Load chose to overload its load function to be able to load both modules and files, which could have been designed differently to avoid this issue.

    nobody in their right mind would write code which passed unvalidated user-supplied data to such methods

    Well I've seen it done one too many times, and so this statement could also be read with a sarcastic meaning ;-)

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://1195500]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others chilling in the Monastery: (6)
As of 2024-03-28 21:41 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found