Is Data::Dump/Data::Dumper safe with unsanitized user input/unsafe data? Im feeding email data directly into a hash. Dumping the hash is no problem, but undumping it with eval. Is Data::Dump/Data::Dumper making sure any code inside Always is completely 100% safe to run - provided I only deal with hashes, strings and arrays?

> safe with unsanitized user input/unsafe data?

Good question ...

lets test:

  DB<103> $hash={ key => ' text @{[print "Injection" ]} text' }
 => { key => " text \@{[print \"Injection\" ]} text" }

  DB<104> use Data::Dumper

  DB<105> $str = Dumper $hash
$VAR1 = {
          'key' => ' text @{[print "Injection" ]} text'
        };

  DB<106> eval $str
 => { key => " text \@{[print \"Injection\" ]} text" }

  DB<108> print $VAR1->{key}
 text @{[print "Injection" ]} text
[download]

Looks fine for me. =)

update

Explanation: Data::Dumper puts strings into single quotes, so no danger of interpolation.

Data::Dump uses double quotes, but escapes all sigils.

update

NB: eval of included strings can still be dangerous! They don't sanitize dangerous strings for you, they will just reproduce the original data structure.

Cheers Rolf
_{(addicted to the Perl Programming Language and ☆☆☆☆ :)}

PS: Je suis Charlie!