Re: A better way ?

[Steven Lembark]

-- Michael G Schwern <[EMAIL PROTECTED]>

> On Wed, Apr 17, 2002 at 12:28:37PM -0700, Rick Klement wrote:
>> There's already a %dispatch set up for you by perl...
>
> I'd have used it but it just fell into the gaping security hole.
>
> A recent Phrack article pointed out that one of the SOAP/RPC/XML
> modules was doing this:
>
>     $soap->$tainted_method_name(@args);

Use -T and untaint by extracting the subname:

    my $flag = "::$input" =~ /\w+$/;

    my $sub = $jumpz{$flag};

or simply:

    croak "$$: Bogus sub call: $blah" if $blah =~ /\w+::\w+/;



That or check ref $sub to see that it is in the package you
expect it to be in.

--
Steven Lembark                               2930 W. Palmer
Workhorse Computing                       Chicago, IL 60647
                                            +1 800 762 1582