Re:**5 SOAP::Lite and Security (Phrack #58)

Safe allows you to isolate code in a compartment. That code is in it's own package and cannot access variables in other packages. You may restrict access to perlops on a per compartment basis.

Try this:

package Bob;
use Safe;
use Digest::MD5;

$cpt = new Safe;
$cpt->share('&alpha');

$str1 = 'print Digest::MD5::md5_hex("Jerrad"), "\n"';
$str2 = 'print "Hello World\n"';
sub alpha{ "Do things\n" };
sub beta { "Do other things\n" };

eval $str1;
eval $str2;
eval "print &alpha";
eval "print &beta";

$cpt->reval($str1);
$cpt->reval($str2);
$cpt->reval("print &alpha");
$cpt->reval("print &beta");
__END__
[download]

Yields:

26e30951791b6e173148f99d8b709c5b
Hello World
Do things
Do other things
Hello World
Do things
[download]

etc. etc. I never meant to imply it was easy as pie, just that it helped (made hard things possible ;-).

-- perl -pe "s/\b;([st])/'\1/mg"

Comment on Re:**5 SOAP::Lite and Security (Phrack #58) Select or Download Code

Replies are listed 'Best First'.
Re:**6 SOAP::Lite and Security (Phrack #58) by IlyaM (Parson) on Dec 31, 2001 at 07:20 UTC
I've read Safe docs and I have an idea how it works. I just don't get how it can help SOAP::Lite. In case with SOAP::Lite you have several subs in different packages which should be remotly accessible. Note that these subs can themselves call other subs which should not be remotly accessible. That's ok. The problem is that SOAP::Lite doesn't provide means to restrict list of remotly accessible subs. Basically you can call any existing subroutine in any package via SOAP::Lite. This problem is not related to restricting perlops. It is about creating restriction for subs which can be remotly called. And it is not a job for Safe to build and check list of subroutines allowed to be called remotly. It is a job for SOAP::Lite itself. -- Ilya Martynov (http://martynov.org/)	[reply]
Re:**7 SOAP::Lite and Security (Phrack #58) by belg4mit (Prior) on Dec 31, 2001 at 12:04 UTC
Safe does more than just restrict perlops as the example code illustrates. And I won't deny that the responsibility lies with SOAP::Lite. Perhaps subclassing to SOAP::Lite::Safe would be good, I'll put it on my vaporware todo list... `-- perl -pe "s/\b;([st])/'\1/mg"`	[reply]