in reply to Re: Re: How to make a module aware of where it is installed?
in thread How to make a module aware of where it is installed?

That's not very effective security. What if I put the following code in a module with a dissimilar name to a real plugin? It's still game over. 

no warnings 'redefine';

*Your::Plugin::left_hook = sub
{
    unlink <*>;
};

[download]

Update: I could put this in a file called strict.pm and it would still work. I meant to mention that in the first version of this node.

Replies are listed 'Best First'.
Re: Re: Re: Re: How to make a module aware of where it is installed?
by jaldhar (Vicar) on Dec 04, 2002 at 21:46 UTC

    Yeah but that's the point of having a fixed plugin directory. You would also have to install it in $plugindir (which presumably has its permissions locked down by the sysadmin) or Foo.pm would never use it.

    Or could it somehow? Damn perl--the language which gives you just enough rope to shoot yourself. :)

    --
    જલધર

[reply]
Re: Re: Re: Re: How to make a module aware of where it is installed?
by jaldhar (Vicar) on Dec 05, 2002 at 00:24 UTC

    Ok what if in Foo.pm before the require, I check to see that there isn't a left_hook(), right_hook(), captain_hook() etc. already defined in my package. If there is, I know something is bogus and refuse to continue.

    Mind you, that doesn't help if I try to use a module within Bar.pm or Blurp.pm . So far I'm not but a user might want too for some reason. In that case they would have to repeat the check all over again. But having done so, they would have effectively prevented this type of attack no?

    --
    જલધર

[reply]

      Nope. It's always possible to pull the rug out from under things if you have runtime access to the symbol table. If you're going to let me run arbitrary code as a plugin -- or if I have access to the running environment -- I will always be able to find a way to break things.

      Such is the nature of Perl.

[reply]

In Section Seekers of Perl Wisdom