in reply to Re: How can I convert hash to string and back again?
in thread How can I convert hash to string and back again?

Is Data::Dump/Data::Dumper safe with unsanitized user input/unsafe data? Im feeding email data directly into a hash. Dumping the hash is no problem, but undumping it with eval. Is Data::Dump/Data::Dumper making sure any code inside Always is completely 100% safe to run - provided I only deal with hashes, strings and arrays?

  • Comment on Re^2: How can I convert hash to string and back again?

Replies are listed 'Best First'.
Re^3: How can I convert hash to string and back again?
by LanX (Saint) on Mar 02, 2015 at 21:41 UTC
    > safe with unsanitized user input/unsafe data?

    Good question ...

    lets test:

      DB<103> $hash={ key => ' text @{[print "Injection" ]} text' }
 => { key => " text \@{[print \"Injection\" ]} text" }

  DB<104> use Data::Dumper

  DB<105> $str = Dumper $hash
$VAR1 = {
          'key' => ' text @{[print "Injection" ]} text'
        };

  DB<106> eval $str
 => { key => " text \@{[print \"Injection\" ]} text" }

  DB<108> print $VAR1->{key}
 text @{[print "Injection" ]} text

    [download]

    Looks fine for me. =)

    update

    Explanation: Data::Dumper puts strings into single quotes, so no danger of interpolation.

    Data::Dump uses double quotes, but escapes all sigils.

    update

    NB: eval of included strings can still be dangerous! They don't sanitize dangerous strings for you, they will just reproduce the original data structure.

    Cheers Rolf
    (addicted to the Perl Programming Language and ☆☆☆☆ :)

    PS: Je suis Charlie!

[reply]
[d/l]

In Section Seekers of Perl Wisdom