develooper Front page | perl.perl5.porters | Postings from September 2012

Re: Use Module::Load More Pervasively (was Re: Re: Taking CPANPLUS out of core)

Thread Previous | Thread Next
From:
Tom Christiansen
Date:
September 29, 2012 15:25
Subject:
Re: Use Module::Load More Pervasively (was Re: Re: Taking CPANPLUS out of core)
Message ID:
11272.1348957511@chthon
Leon Timmermans <fawaka@gmail.com> wrote on Sat, 29 Sep 2012 22:35:34 +0200: 

> On Sat, Sep 29, 2012 at 7:03 PM, chromatic <chromatic@wgz.org> wrote:

>> On Saturday, September 29, 2012 06:25:10 PM Leon Timmermans wrote:

>>> I definitely think Module::Load should stay in, it's one of those
>>> things that shouldn't have needed a module in the first place IMO.

>> If it can replace the eval "require $module; 1" idiom in core
>> modules, so much the better. Some of those instances of $module in
>> the core don't check that $module can *only* contain valid module
>> names or file paths.
>>
>> This probably deserves an audit.

> It doesn't help that the require documentation shows this trick
> without pointing out the security implications.

You think that's bad, it turns out that the core documentation
also shows things like

    unlink $file;

without pointing out the security implications.  Heavens!

So while I'm sure you'll tell me why I'm wrongheaded in this, it very much
seems to me that anybody mindlessly requiring arbitrary strings that come
from a hostile user bent upon subverting system security is going to have
a huge whole lot of other, more important things to worry about than just
this alone.  It seems like a red herring.

It's like people have forgotten what it is to handle tainted data, and how
to do so properly.  I don't understand that.  After all, if you want taint
mode, you know where to find it.

Perl was not designed to stop you from doing stupid things, because that
would also stop you from doing clever things.  Plus nobody can stop you
from doing stupid things.

What am I missing here?

--tom

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About