in reply to "eval"ing a hash without eval

In trying to run some code with taint checking, I found the following snippet: 
local $/; my %conf = eval <CONF>;

[download]

Needless to say, that fails in taint mode.

How about if you add: 
use IO::Handle;
CONF->untaint;

[download]
This snippet, for example, seems to work as expected: 
#!/usr/bin/perl -Tw

use strict;

use IO::Handle;
use Data::Dumper;

open(CONF,"< t41.conf")
  or die "couldn't open conf: $!\n";
CONF->untaint;
my %conf;
{
  local $/;
  undef $/;
  %conf = eval <CONF>;
}

print Dumper \%conf;

[download]

Replies are listed 'Best First'.
Re^2: "eval"ing a hash without eval
by Ovid (Cardinal) on Dec 29, 2005 at 04:19 UTC

    Yes, by my method is suitably paranoid and I don't have to worry about unsafe data getting in there. I should take a tip from Aristotle and go ahead and lex things properly. I'll avoid the entire eval scenario altogether.

    Cheers,
    Ovid

    New address of my CGI Course.

[reply]

In Section Seekers of Perl Wisdom