Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re^2: "eval"ing a hash without eval

by Ovid (Cardinal)
on Dec 29, 2005 at 08:12 UTC ( [id://519735]=note: print w/replies, xml ) Need Help??


in reply to Re: "eval"ing a hash without eval
in thread "eval"ing a hash without eval

These are very easy questions to answer.

Why replace my working code?
Because I hacked something together quickly and it's probably not very robust. If there is something out there better tested, I want it. If I can't get the author to repond to problems, forking is trivial. (But see my comment below)
Every piece of code you run gets eval'd.
I know where my code comes from but I can't guarantee the source of that config file. It's location is set by an environment variable and I can't guarantee someone won't hand edit that file. That's a whopping huge security hole.
Wouldn't it be faster to change the file format?
No. It would take far longer. That config file is autogenerated. As mentioned in my post, it would take me two or three days (I hope) to rip out everything which writes to that file and replace it. Instead, I hacked a solution in a couple of hours.

I will agree though that too much reliance on external modules is problematic. For bigger things we don't have the time to do, maybe that's OK. For smaller things, maybe forking or cribbing ideas is a better bet.

Cheers,
Ovid

New address of my CGI Course.

Replies are listed 'Best First'.
Re^3: "eval"ing a hash without eval
by sgifford (Prior) on Dec 29, 2005 at 16:50 UTC
    I know where my code comes from but I can't guarantee the source of that config file. It's location is set by an environment variable and I can't guarantee someone won't hand edit that file. That's a whopping huge security hole.
    To clarify: the code runs with some sort of special privileges, which allow a user to do things they wouldn't otherwise be able to do, and also gets its configuration from an environment variable that the user has control over? And the user can perform inappropriate actions by putting code into the config file, but not by making any other changes to the file?

      The problem, in a nutshell, is that this code will eventually be available to others. I will then have no control over how they choose to use it or what environments they will be working in. Thus, I don't want to provide them with a chunk of code which reads "here, eval this text file" and guess as to whether or not it's safe.

      Cheers,
      Ovid

      New address of my CGI Course.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://519735]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having a coffee break in the Monastery: (7)
As of 2024-03-29 12:51 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found