in reply to Re: Simple TCP server recomendations
in thread Simple TCP server recomendations

While your goal of making it easily extensible is admirable, this line troubles me: 
if ( ! defined &$path ) {

[download]
Since you don't force any particular content on $path (except that it be strictly alphanumeric), you're also exposing any miscellaneous subroutines that happen to be defined. Are you sure that everything that POE exports is safe to be invoked, for example?

A better strategy would be to narrow the namespace a bit: 

$path = "remote_request_$path";
...

[download]
which ensures that someone has to go to the trouble to name a subroutine a particular shape before it can be invoked.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

Replies are listed 'Best First'.
Re^3: Simple TCP server recomendations
by jasonk (Parson) on Oct 03, 2006 at 12:21 UTC

    That's a very good point, I had distilled this down from an application very similar to what the OP was looking for that I was actually using in production, and may have oversimplified it a bit.

    In the original, I was using attributes to flag subs that should be accessible through this interface, and didn't want to confuse the posting by leaving in all the attribute-related code. I had been thinking that it was unlikely that POE was exporting any functions that started with an underscore, but on further reflection it would certainly be possible to invoke random methods that didn't start with an underscore by hand-crafting your requests, although the amount of damage you could do would be limited by not being able to pass arguments to any of those methods, it is still something to keep in mind.

    We're not surrounded, we're in a target-rich environment!
[reply]

In Section Seekers of Perl Wisdom