in reply to Re: Is use of a simple DSL for a configuration a good idea?
in thread Is use of a simple DSL for a configuration a good idea?

I was thinking that using perl in a configuration file could be a pretty big security hole as it allows someone to basically run arbitrary perl code through the configuration file.

$PM = "Perl Monk's";
$MCF = "Most Clueless Friar Abbot Bishop Pontiff Deacon Curate Priest";
$nysus = $PM . ' ' . $MCF;
Click here if you love Perl Monks

  • Comment on Re^2: Is use of a simple DSL for a configuration a good idea?

Replies are listed 'Best First'.
Re^3: Is use of a simple DSL for a configuration a good idea? (updated)
by LanX (Saint) on Oct 18, 2018 at 15:02 UTC
    yes, that's a limitation of most internal DSLs.*

    Perl has some means to disable/override built-ins but normally the possibility to extend the internal DSL is considered a feature.

    Just try to define a JSON format with the same flexibility and start hacking a DTD which is validating it, to see what I mean.

    In the end this might turn out to be the better approach but designing a DSL works out much faster and could be used as a preliminary step.

    Especially if the design needs to be adapted constantly you'll never reach the phase to finalize a JSON format.

    Cheers Rolf
    (addicted to the Perl Programming Language :)
    Wikisyntax for the Monastery FootballPerl is like chess, only without the dice

    update

    *) in the case of Rex you are distributing centralized configs via SSH. But if the centralized server is compromised you are already in much deeper shit.

[reply]

In Section Seekers of Perl Wisdom