Re: "Dynamic" dispatch tables

All interactive software tends to run different subs based on user input in some way. There's no security issue with that per se. Where there's a security issue is making a system call with user-supplied data or executing code received as user-supplied data. If one of your subroutines makes a change to part of the system outside your program, you need to be very sure what kinds of changes it can make given the inputs which are allowed to change its behavior.

Comment on Re: "Dynamic" dispatch tables

Replies are listed 'Best First'.
Re^2: "Dynamic" dispatch tables by elTriberium (Friar) on Apr 29, 2011 at 18:20 UTC
Right, that's the part where user input becomes code in my original post: `$dispatch_table{$tc} = sub {eval "tcid_$tc()"},` [download] $tc is a value entered by the user. I'm dynamically creating the sub name tcid_$tc based on that input. Since this is in an eval, there are of course bad things a user could do here (like supplying --tcid 1;<bad code here>), but since this code will never be released to the public I don't see this as a big issue. And of course I can add some additional parsing for example that a tcid is only \d+ and nothing else.	[reply] [d/l]
Re^3: "Dynamic" dispatch tables by mr_mischief (Monsignor) on Apr 29, 2011 at 18:23 UTC
Well, if the only people running the code would also have access to alter the code then you're not really protecting the system from anything but an accident.	[reply]
Re^4: "Dynamic" dispatch tables by elTriberium (Friar) on Apr 29, 2011 at 18:27 UTC
OK, good point, thanks.	[reply]


Your skill will accomplish what the force of many cannot
	PerlMonks