Re: SOAP::Lite and Security (Phrack #58)

Replies are listed 'Best First'.
Re: Re: SOAP::Lite and Security (Phrack #58) by IlyaM (Parson) on Dec 30, 2001 at 17:07 UTC
I'm not sure if Safe really helps. Suppose you have two subs in your code. Both use open to read some files and return data they have read. First sub should be directly accessiable via SOAP::Lite and second should not. How can Safe help here? Actuall fix is restrict package and method names that can be called via SOAP::Lite. -- Ilya Martynov (http://martynov.org/)	[reply]
Re:**3 SOAP::Lite and Security (Phrack #58) by belg4mit (Prior) on Dec 31, 2001 at 04:45 UTC
Well Safe restricts perlop's and namespace access so for that case you might put the second sub in a different package. `-- perl -pe "s/\b;([st])/'\1/mg"`	[reply]
Re: Re: Re: Re: SOAP::Lite and Security (Phrack #58) by IlyaM (Parson) on Dec 31, 2001 at 05:24 UTC
I haven't ever used Safe but after reading its doc again I don't understand how execution of perlops can be limited in all packages except some of them (this is what you need in case with SOAP::Lite). Anyway even if it is possible is still doesn't work. Suppose one method (which should be remotly accessiable) uses another (which shouldn't be remotly accessiable). You cannot forbid perlops used by second method because doing it breaks first method. -- Ilya Martynov (http://martynov.org/)	[reply]
Re:**5 SOAP::Lite and Security (Phrack #58) by belg4mit (Prior) on Dec 31, 2001 at 06:16 UTC
Re:**6 SOAP::Lite and Security (Phrack #58) by IlyaM (Parson) on Dec 31, 2001 at 07:20 UTC
Some notes below your chosen depth have not been shown here
Re: Re: SOAP::Lite and Security (Phrack #58) by belg4mit (Prior) on Dec 30, 2001 at 12:38 UTC
JIK you read the article and are interested, I posted the use Safe; comment there as well (I did not plagarize ;-). However since they use a low resolution timestamp, and an UNobfuscated email address as an indentifier I did not give a valid address. `-- perl -pe "s/\b;([st])/'\1/mg"`	[reply]