Re^2: How ti include a file in Perl script

And then a bad, bad person comes along and edits your config file to read:

foo => 'bar',
something => 'whatever';
`rm -rf /`;
[download]

Ouch.

Using a Config module as suggested above is safer, and in many cases just as easy.

If you need to use perl config files, you may be able to buy yourself some safety by using Opcodes or Safe.

TGI says moo

Comment on Re^2: How ti include a file in Perl script Download Code

Replies are listed 'Best First'.
Re^3: How ti include a file in Perl script by Saladino (Beadle) on Jan 11, 2008 at 08:15 UTC
I the has access, it's not easy for him to type "rm -rf /" directly instead of modifying my file? Or he could change any other file to programatically remove every file he wants. There may be lots of reasons to use Config module instead this, but that it's not one in my opinion.	[reply]
Re^4: How ti include a file in Perl script by TGI (Parson) on Jan 11, 2008 at 16:20 UTC
Depending on how your scripts are run and the permissions on the files involved, your config files may be part of a privilege escalation attack. The risk really comes in where there is a difference in permissions between who can alter the config file, who can run the script, and the user the script executes as. If your script runs as setuid root, you give the system to an attacker. In your case, the risk may be small. But it is a risk that is easily and cheaply avoided by using a library to serialize your configuration data. TGI says moo	[reply]