Just another Perl shrine | |
PerlMonks |
Re: use Safe ; Any Thwarted Attacks?by scrottie (Scribe) |
on Nov 11, 2003 at 05:29 UTC ( [id://306083]=note: print w/replies, xml ) | Need Help?? |
I don't know if anyone has attacked me - attackers are
pretty lazy and stupid these days, with so many targets,
such easy pickings, and such apathy towards the Web in
general - but I trust it in production. Though I
could be sealing my fate here. Oh well. I also backup,
compartmentalize, and run bounds checking patches. Actually, I don't use Safe.pm - I use it's bastard cousin, ops.pm: http://perldesignpatterns.com/?self The Internet community at large is allowed to write code to extend TinyWiki. It is useful to understand the way these modules work - for that, read the Opcode manual page. A bitmask is maintained and disallowed ops aren't compiled. Any code compiled before the "use ops" line can do anything it wants, but any code compiled after it - including in evals - cannot compile down to anything that uses any opcode deemed unsafe. This industrial strength approach avoids a lot (most?) of the problems with Safe - but then your module would be dropping permissions permenantly so that unsafe things don't appear in config files. On one hand, drop as much priviledge as early as possible. On the other, don't invite disaster - like me. Use YAML or XML or SGML or ... something. I hope this amuses and/or helps. -scott
In Section
Seekers of Perl Wisdom
|
|