> safe with unsanitized user input/unsafe data?
Good question ...
lets test:
DB<103> $hash={ key => ' text @{[print "Injection" ]} text' }
=> { key => " text \@{[print \"Injection\" ]} text" }
DB<104> use Data::Dumper
DB<105> $str = Dumper $hash
$VAR1 = {
'key' => ' text @{[print "Injection" ]} text'
};
DB<106> eval $str
=> { key => " text \@{[print \"Injection\" ]} text" }
DB<108> print $VAR1->{key}
text @{[print "Injection" ]} text
Looks fine for me. =)
update
Explanation: Data::Dumper puts strings into single quotes, so no danger of interpolation.
Data::Dump uses double quotes, but escapes all sigils.
update
NB: eval of included strings can still be dangerous!
They don't sanitize dangerous strings for you, they will just reproduce the original data structure.
|