Consider:

#!/usr/bin/perl
BEGIN { print "rm -rf /" }
[download]

Guess what happens when you run perl -c on this.

Now just imagine if that weren't just a print statement...

Update: I thought it was discussed here before, but I can't seem to find where. IIRC, the verdict was, basically, that there's just not a way to get arbitrary code syntax checked w/o (at least the possbility of) running some of it.

bbfu
Seasons don't fear The Reaper.
Nor do the wind, the sun, and the rain.
We can be like they are.

Update: I thought it was discussed here before, but I can't seem to find where. IIRC, the verdict was, basically, that there's just not a way to get arbitrary code syntax checked w/o (at least the possbility of) running some of it.

It's worse than that. You can't just skip over the BEGIN blocks in your pretend-parser. You must execute them, because they can affect the later parse, and short of solving the halting problem, you basically can't tell whether they'll do something malicious or not, except perhaps by executing them within a Safe compartment. See my "On Parsing Perl" for specific examples of why you cannot skip executing the BEGIN blocks.

-- Randal L. Schwartz, Perl hacker

yeah, and how is that less secure than an eval? you can't do anything about code in a BEGIN block short of parsing it out (which can be difficult). you have no point

My point was that perl -c is no more (or less) secure than evaling the code. (The other?) Anonymous Monk suggested that eval was insecure and that the original poster should use perl -c instead. I was simply pointing out that it would be no better.

bbfu
Seasons don't fear The Reaper.
Nor do the wind, the sun, and the rain.
We can be like they are.