Modifying packages without violating use strict

jackdied has asked for the wisdom of the Perl Monks concerning the following question:

Is it possible to put a subroutine into another package without violating 'use strict'?
The normal way to do this looks like

use strict;
my $var = 'Test::foo';
no strict 'refs'; # we need to leave use strict
*$var = sub {print "Bar\n";};
use strict; # turn it back on
[download]

Is it possible to do the same thing without turning off strict refs?
The reason I am asking is that I want to allow code run under Safe to access packages I have reviewed & approved (with the Safe'd code running under use strict), but I don't want them to be able to change their contents.(under Safe we can prevent them from turning off 'strict')

It is true that they couldn't add any code to the modules that they couldn't just run in their box, but they could screw with the interactions to gain new powers. Here is an exploit for a restricted caller() package, in its original form it will never let the user get to caller() through safe_caller(), but if we can modify caller_allowed() they can

package SafeCaller;

sub safe_caller { return caller(@_) if caller_allowed(); }
# disallow everyone from using safe_caller
sub caller_allowed { reutrn 0; }
[download]

-jackdied

keywords: use strict; use Safe; sandbox; restrict; namespace; taint;

Comment on Modifying packages without violating use strict Select or Download Code

Replies are listed 'Best First'.
Re: Modifying packages without violating use strict by broquaint (Abbot) on Feb 07, 2002 at 00:42 UTC
If I understand your question correctly you want this `package Foo; sub inscope { print "in Foo's scope\n" } 1; package main; use strict; sub Foo::outofscope { print "in main's scope\n" } Foo::inscope(); Foo::outofscope();` [download] Although I'm not sure if it breaks when using `Safe` it works under `use strict` and is the only 'safe' way I know of adding functions to packages outside of their scope without having to do funky symbol magic. HTH broquaint	[reply] [d/l]
Re: Re: Modifying packages without violating use strict by jackdied (Monk) on Feb 07, 2002 at 01:48 UTC
I hate missing the obvious. This will compile without complaints in a Safe sandbox, so consider my question expanded to "Any idea how to do want I want?"	[reply]
Re: Modifying packages without violating use strict by chromatic (Archbishop) on Feb 07, 2002 at 00:41 UTC
It is possible. Perhaps you could localize the typeglob of any package you don't want to exploit before calling those modules? Perhaps not. This is a tricky problem. (For the record, my parents are alternately shocked and proud.)	[reply]