BUU has asked for the wisdom of the Perl Monks concerning the following question:

I have some code I don't trust but I want it to communicate some data to my (trusted) script. I played around with some ideas and eventually hit upon the idea of Storable and it's freeze/thaw methods.

My simple question is "is thaw($untrusted_data) safe?" In the sense that the only thing $untrusted_data can have is a valid perl datastructure, and thawing it won't do anything other then giving me that data structure. It can't interfere with the rest of the script, set variables/functions etc, it can't execute arbitrary code, etcetera, right?

Replies are listed 'Best First'.
•Re: Storable::thaw / freeze, saftey?
by merlyn (Sage) on Jun 04, 2004 at 13:28 UTC
    If your object classes have a STORABLE_thaw method, that method will be called as a constructor to rebuild the object. There is probably potential mischief there. I can't imagine a scenario where the data structure also gets to define the method code as well, but it's still early in the morning for me. {grin}

    Also, I recall getting Storable to segfault if the frozen data structure was corrupted, so that could be used as a stack smashing attack. Alas, it was a long time ago, so I do not recall the details.

    -- Randal L. Schwartz, Perl hacker
    Be sure to read my standard disclaimer if this is a reply.

[reply]
Re: Storable::thaw / freeze, saftey?
by eserte (Deacon) on Jun 04, 2004 at 14:11 UTC
    Also make sure that $Storable::Eval is not set to a true value, otherwise Storable would try to eval() data marked as a deserialized subroutine.
[reply]

Back to Seekers of Perl Wisdom