On Fri, 24 May 2002, Brett Sanger wrote:
> I've missed the beginning of this discussion, so just tell me to shut
> up if I'm off track here.
Yeah, you're off track. We're not talking about setup()...
> > If you have the run-mode name in a variable you can do:
> > my $run_mode = "foo";
> > return $self->$run_mode();
> >
> > And the code will call foo(). Isn't Perl great?
>
> Isn't that a soft reference that:
> 1) Makes strict angry
Not on my Perl:
$ perl -Mstrict -MIO::File -we 'my $meth = "new"; my $fh = IO::File->$meth("foo");'
$
> 2) Is discouraged, because 90% of soft-references should be hash elements?
That still leaves a healthy 10% for this and a few other usages.
Although, actually, now that you mention it, there is one good reason you
should be wary of this technique:
sub mode_jumper {
my $mode = $self->query->param('next_mode');
return $self->$mode();
}
That looks safe enough. It looks like it shouldn't be able to do anything
worse than call any method in $self's class. But if a nefarious hacker
sets 'next_mode' to "CORE::dump" then your application will dump core!
Of course there are worse possibilities - this is the basic vulnerability
discovered in SOAP::Lite:
http://www.phrack.com/show.php?p=58&a=9
So, the moral of the story is: calling a method through a variable is a
useful technique but never allow that variable to be set by the user.
-sam
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/[email protected]/
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
