Tim Gim Yee wrote:
> > If I'm missing the point and opening gaping security holes, I want to
> > know that as well.
>
> The problem is the above code untaints without validating the data. I
> mistakenly thought inserting a MD5 hash would work, but without it, you
> need some other check. The safest thing to do though is to avoid eval
> 'string' altogether and parse the config file yourself.
>
> Actually, how about using Storable instead of Data::Dumper?
I'm just not convinced that the config file is a security threat. Sure
you could put evil code in it, but it's not my job to keep you from
shooting yourself in the head. My job is just to keep others from
fragging you to smithereens. If someone can change your config they
probably have access to do a lot worse.
You're right that using Data::Dumper/eval is a cheap way to avoid
parsing, but hey, I'm just a lazy Perl programmer. It is fast and
reliable though.
Storable is an excellent module, but saves its data in a non editable
fashion. At this point, I don't want to preclude the possibility of
people hand editing their config files.
So let's leave the config file like it is and just find out what needs
to be changed so that people can use Inline with that darned taint
checking. We just need to ensure that if someone does put a cap in their
dome, that their last dying thought isn't "I'll get you for this Inline,
arghhhhh...."
Cheers, Brian
--
perl -le 'use Inline C=>q{SV*JAxH(char*x){return newSVpvf
("Just Another %s Hacker",x);}};print JAxH+Perl'
