Re^6: Use with variable

Eh, considering that a use or a require does an eval, what exactly are you trying to protect yourself from? If a user can pass a module name of his choosing, you're doomed anyway, no matter what restrictions you put on the module name:

    echo 'BEGIN {qx {rm -rf /}}' > MyModule.pm
[download]

and then you hand 'MyModule.pm' to the program.

If the program is not running on behalf of someone else (like, uhm, 99% of the programs outthere), there's no security issue with string eval anyway.

Comment on Re^6: Use with variable Download Code

Replies are listed 'Best First'.
Re^7: Use with variable by Corion (Patriarch) on Sep 08, 2004 at 14:47 UTC
Like I already discussed, avoiding string-eval is for when input comes from untrusted sources. For example, a module loaded by (hopefully tainted) data read from the internet via a form submission. There, the user can't create a module of their own devising on my local machine but still could run arbitrary code with your method. I know that the variant I propose is propably overkill, as I already said above, but on the other hand, it isn't much more code and will land in a subroutine anyway, if such a feature is needed but not provided by any of the *::Plugin modules.	[reply]

Replies are listed 'Best First'.

Re^7: Use with variable
by Corion (Patriarch) on Sep 08, 2004 at 14:47 UTC

Like I already discussed, avoiding string-eval is for when input comes from untrusted sources. For example, a module loaded by (hopefully tainted) data read from the internet via a form submission. There, the user can't create a module of their own devising on my local machine but still could run arbitrary code with your method. I know that the variant I propose is propably overkill, as I already said above, but on the other hand, it isn't much more code and will land in a subroutine anyway, if such a feature is needed but not provided by any of the *::Plugin modules.

[reply]