in reply to Re: Securing your SOAP Application
in thread Securing your SOAP Application

You mean like this?

#!/usr/bin/perl
use SOAP::Transport::HTTP::CGI;
SOAP::Transport::HTTP::CGI
  -> dispatch_to('ReallyInsecureDontDoThis')
  -> handle;

package ReallyInsecureDontDoThis;

sub run_code { eval shift }

[download]

Client side:

#!/usr/bin/perl
use SOAP::Lite;
my $soap = SOAP::Lite 
    ->uri('ReallyInsecureDontDoThis') 
    ->proxy('http://www.example.com/insecure_server.cgi');
$soap->call(run_code => q/system('rm -rf /')/);

[download]

----
I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer

Note: All code is untested, unless otherwise stated

Replies are listed 'Best First'.
Re: Re: Re: Securing your SOAP Application
by liz (Monsignor) on Jul 30, 2003 at 20:17 UTC
    Basically, yes.

    With the added complication of using XSLT to process the entire SOAP XML, creating a script on disk to be run.

    Liz

[reply]

In Section Meditations