Capture::Tiny doesn't actually evaluate a string as code. You still need to use eval (or Safe) for that. Here's a minimal example:
use strict;
use warnings;
use Capture::Tiny qw/capture/;
my $code = 'print "hi"';
my($stdout, $stderr, @result) = capture { eval $code };
print "Stdout: $stdout\n";
print "Stderr: $stderr\n";
print "Result: @result\n";
The output will be:
Stdout: hi
Stderr:
Result: 1
You might be wondering where "1" comes from. print returns true on success, and that propagates through the eval back to capture, which rolls it into the result set.
Now once you introduce Safe (which I suspect you probably will end up doing), things get a lot more complicated really fast, and you'll still be exposed to DOS attacks.
|