in reply to Re^2: "eval"ing a hash without eval
in thread "eval"ing a hash without eval

I know where my code comes from but I can't guarantee the source of that config file. It's location is set by an environment variable and I can't guarantee someone won't hand edit that file. That's a whopping huge security hole.
To clarify: the code runs with some sort of special privileges, which allow a user to do things they wouldn't otherwise be able to do, and also gets its configuration from an environment variable that the user has control over? And the user can perform inappropriate actions by putting code into the config file, but not by making any other changes to the file?

Replies are listed 'Best First'.
Re^4: "eval"ing a hash without eval
by Ovid (Cardinal) on Dec 29, 2005 at 17:46 UTC

    The problem, in a nutshell, is that this code will eventually be available to others. I will then have no control over how they choose to use it or what environments they will be working in. Thus, I don't want to provide them with a chunk of code which reads "here, eval this text file" and guess as to whether or not it's safe.

    Cheers,
    Ovid

    New address of my CGI Course.

[reply]

In Section Seekers of Perl Wisdom