Re^2: How can I convert hash to string and back again?

Is Data::Dump/Data::Dumper safe with unsanitized user input/unsafe data? Im feeding email data directly into a hash. Dumping the hash is no problem, but undumping it with eval. Is Data::Dump/Data::Dumper making sure any code inside Always is completely 100% safe to run - provided I only deal with hashes, strings and arrays?

Comment on Re^2: How can I convert hash to string and back again?

Replies are listed 'Best First'.

Re^3: How can I convert hash to string and back again?
by LanX (Saint) on Mar 02, 2015 at 21:41 UTC

> safe with unsanitized user input/unsafe data?

Good question ...

lets test:

  DB<103> $hash={ key => ' text @{[print "Injection" ]} text' }
 => { key => " text \@{[print \"Injection\" ]} text" }

  DB<104> use Data::Dumper

  DB<105> $str = Dumper $hash
$VAR1 = {
          'key' => ' text @{[print "Injection" ]} text'
        };

  DB<106> eval $str
 => { key => " text \@{[print \"Injection\" ]} text" }

  DB<108> print $VAR1->{key}
 text @{[print "Injection" ]} text
[download]

Looks fine for me. =)

update

Explanation: Data::Dumper puts strings into single quotes, so no danger of interpolation.

Data::Dump uses double quotes, but escapes all sigils.

update

NB: eval of included strings can still be dangerous! They don't sanitize dangerous strings for you, they will just reproduce the original data structure.

Cheers Rolf
_{(addicted to the Perl Programming Language and ☆☆☆☆ :)}

PS: Je suis Charlie!

[reply]
[d/l]


Think about Loose Coupling
	PerlMonks