You could indeed use eval, but you then have the tricky task of validating the name of the dependency first.
I think that you should validate the name in any case. BTW: Taint mode enforces that you validate the name.
/tmp>cat taint-require.pl
#!/usr/bin/perl -T
use strict;
use warnings;
my $mod=<STDIN>;
chomp $mod;
$mod.='.pm';
$mod=~s!(::|')!/!g;
require $mod;
print $mod->VERSION;
/tmp>chmod +x taint-require.pl
/tmp>echo Data::Dumper | taint-require.pl
Insecure dependency in require while running with -T switch at ./taint
+-require.pl line 11, <STDIN> line 1.
/tmp>
$dep =~ s{::}{/}g;
$dep .= ".pm";
require $dep;
That's strictly speaking not sufficient. ' can be used as a separator in module names in place of :: (perl4 legacy). Some fun modules, like Acme::Don't, still use this feature. And perl still accepts ' in place of :::
/tmp>cat perl4-mod.pl
#!/usr/bin/perl
use strict;
use warnings;
use Data'Dumper;
print Dumper(\%INC);
/tmp>perl perl4-mod.pl
$VAR1 = {
'warnings/register.pm' => '/usr/share/perl5/warnings/registe
+r.pm',
'strict.pm' => '/usr/share/perl5/strict.pm',
'constant.pm' => '/usr/share/perl5/constant.pm',
'warnings.pm' => '/usr/share/perl5/warnings.pm',
'overload.pm' => '/usr/share/perl5/overload.pm',
'Exporter.pm' => '/usr/share/perl5/Exporter.pm',
'overloading.pm' => '/usr/share/perl5/overloading.pm',
'Carp.pm' => '/usr/share/perl5/Carp.pm',
'XSLoader.pm' => '/usr/local/lib64/perl5/XSLoader.pm',
'Data/Dumper.pm' => '/usr/lib64/perl5/Data/Dumper.pm',
'bytes.pm' => '/usr/share/perl5/bytes.pm'
};
/tmp>perl -v
This is perl 5, version 22, subversion 2 (v5.22.2) built for x86_64-li
+nux-thread-multi
Copyright 1987-2015, Larry Wall
Perl may be copied only under the terms of either the Artistic License
+ or the
GNU General Public License, which may be found in the Perl 5 source ki
+t.
Complete documentation for Perl, including FAQ lists, should be found
+on
this system using "man perl" or "perldoc perl". If you have access to
+ the
Internet, point your browser at http://www.perl.org/, the Perl Home Pa
+ge.
/tmp>
Alexander
--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
|