in reply to Security Breach through Template::Toolkit

It's not a mere matter of configuring Template. If you pass an object to your template, the template can call arbitrary (public) methods on it.

So if you pass a DBIx::Class object to the template, it might be possible for the user to query your DB for things you didn't want to reveal to them. Or if you have defined some many-to-many relations the user could walk through all these relations, issuing many DB queries and thus degrading performance.

Maybe that can be prohibited somehow, but it's a danger you have to be aware of.

  • Comment on Re: Security Breach through Template::Toolkit

Replies are listed 'Best First'.
Re^2: Security Breach through Template::Toolkit
by dragonchild (Archbishop) on Nov 11, 2008 at 18:22 UTC
    More importantly, every good ORM allows you to access the entire database from any object provided by that ORM. That sort of reflection is considered to be a feature.
    My criteria for good software:
    1. Does it work?
    2. Can someone else come in, make a change, and be reasonably certain no bugs were introduced?
[reply]

In Section Seekers of Perl Wisdom