I'm still in shock about this post Re: Vulnerabilities when editing untrusted code... (Komodo), showing that it's not trivial to find BEGIN, CHECK und UNITCHECK compile time blocks (furtheron named "CTBs") by static parsing before the code is executed.
My understanding of whats happening in ''=~('(?{B'.'EGIN{print "owned"}})') is:
After some meditation I think, that having a mechanism to intercept the execution of CTBs is a necessary feature request.
It would be beneficial to have something like a command line switch to make perl print all CTBs instead of evaling them and not continuing by default.
something like perl -cc maybe extendable by hooking a function to treat the code string perl -cc='my ($code, $phase, $file, $line); print $code; 0'.
The return code of those callbacks could be taken to decide about the further continuation of the process. (e.g. based on a file's ownership, path or certificate) ²
AFAIK CTBs are evaled¹, so in theory it should be easily possible to intercept the evaling routine to do this.
The possible benefits are:
I took a look into Safe, but it doesn't seem that this case is covered ... or is it possible to hook into eval to achieve this?
Or is there already any other possibility I missed???
Cheers Rolf
1) well not quite ... from perlmod
It should be noted that "BEGIN" and "UNITCHECK" code blocks are executed inside string "eval()"’s. The "CHECK" and "INIT" code + blocks are not executed inside a string eval, which e.g. can be a prob +lem in a mod_perl environment.
2) it could also return other code to be used instead, e.g. to wrap the given code into "use Safe;" and "no Safe;" statements,
3) including tracing and investigating CTBs of alien code.
In reply to Intercepting compile time blocks like BEGIN {} by LanX
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |