Re: Convert JSON to Array in CGI

$params doesn't contain JSON as you claim; it contains Perl code. There's no safe way to handle that.

Comment on Re: Convert JSON to Array in CGI Download Code

Replies are listed 'Best First'.
Re^2: Convert JSON to Array in CGI by Corion (Patriarch) on Sep 11, 2018 at 06:37 UTC
Of course there are very safe ways to handle a delimited subset of Perl code such as Data::Dumper produces. There just is no safe/sane way to handle arbitrary Perl code. As long as you restrict yourself to eliminating the `$VAR1 =`, the rest is almost JSON, and JSON can be safely parsed. After some searching merlyn wrote such a Parser for Data::Dumper and posted it online.	[reply] [d/l]
Re^3: Convert JSON to Array in CGI by ikegami (Patriarch) on Sep 12, 2018 at 15:59 UTC
I was aware that it was theoretically possible to verify that the output was part of that subset, but I wasn't aware of merlyn's work. Thanks! (Of course, P::RD is insanely slow, so this could use some work.)	[reply]