Re: Untainting known good data

You're sure '$tmp1' is safe? What if it's ' unlink "/etc/passwd"' and you later call the sub? (Ok, so if its Windows, what if its something equally horrible?). What if some evildoer replaces the file you're reading with evil things? Are you sure you want to call eval with quotes instead of block delimiters?

Update: Ok, I missed the qq, that just makes it a little trickier. What if $tmp1 is '@{[unlink "/"]}' ?

I don't see the need to call eval anyway, use a closure:

# I assume this is just an example, as '$c' and '@a' serve
# no real purpose here
my $sub;
{
 my $tmp = $tmp1;
 # You could even skip assigning to '$tmp' if '$tmp1'
 # already 'enclosed' in another limited context
 $sub = sub { my $c = shift; my @a = ($tmp); return @a; };
}
[download]

More update: I see this doesn't account for eval'ing the substitutions you're making, but I would rethink those also, the way you are 'calling' the 'template::gettmplsub' sub it will not get executed anyway. (Hmm, I guess it will later...)

Comment on Re: Untainting known good data Select or Download Code

Replies are listed 'Best First'.
Re: Re: Untainting known good data by Cine (Friar) on Sep 07, 2001 at 03:27 UTC
Yes, I am sure my file is OK, since it is hardcoded at all points which file is read, and if anyone but me has access to the files anyway, the damage is already done... 'template::gettmplsub' sub it will not get executed anyway Which is EXACLY the point ;) It is MUCH cheaper to eval it into a sub than eval it every time you need the string in the file... (Benchmark reports about 2000% speed increase) T I M T O W T D I	[reply]

Replies are listed 'Best First'.

Re: Re: Untainting known good data
by Cine (Friar) on Sep 07, 2001 at 03:27 UTC

'template::gettmplsub' sub it will not get executed anyway

[reply]