If you replace : with => (or even a comma), then you'd have PON - Perl Object Notation, also known as actual Perl code. So having that you could then do something silly like prepend our $hash_ref = then string eval or write it to a file then require it:

And if - for some nasty reason - the input suddenly contains something like "foo" : `rm -rf /` ("foo" => `rm -rf /` after replacing : with =>), you will learn the hard way why you don't blindly run configuration data as executable code. JSON, JSON::PP, and JSON::XS all treat data as such and do not treat the input as executable code. Hell, you don't even eval() JSON in Javascript - for the same reason.

See also:

• Re^2: conf file in Perl syntax
• Re: Accessing variables in an external hash without eval
• Re^4: The safety of string eval and block eval.
• Re^2: Storing state of execution
• Re: What's the right way to include a config file as a .pm bareword?
• Re^4: how to read conf file in perl script

Alexander