http://www.perlmonks.org?node_id=656533


in reply to Re^2: variable subroutine call
in thread variable subroutine call

Sorry. I guess I should have said it can be dangerous if others have access to it. Perhaps my own prejudices. I tend to be wary of things that execute code (or in this case, arbitrary subroutines) without any checking of the input other than "does the function exist". That's all.

--
meraxes

Replies are listed 'Best First'.
Re^4: variable subroutine call
by shmem (Chancellor) on Dec 12, 2007 at 01:40 UTC
    The security issue is "not validating user input" (under certain circumstances) and not "making a string into a subroutine call". If the subroutine cannot be resolved, perl will complain (i.e. die), and done. So "validating user input" doesn't apply in the OP's context.

    It is just what your shell is doing, day in, day out.

    --shmem

    _($_=" "x(1<<5)."?\n".q·/)Oo.  G°\        /
                                  /\_¯/(q    /
    ----------------------------  \__(m.====·.(_("always off the crowd"))."·
    ");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}

      Once again, just my paranoia. I dig what you're saying. Perhaps "authorization" is a better representation of what I was thinking. A wee bit beyond the scope of this, yes. Didn't mean to muddy the waters.

      My first job was writing Perl that many other people ran to do their work and I was always conscious of the "damage" they could do with my scripts... so I find myself functioning on paranoia level 42 at all times. ;)

      Obviously this isn't the issue here.

      --
      meraxes