Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Is Safe.pm unsafe?

by crazyinsomniac (Prior)
on May 13, 2002 at 04:23 UTC ( #166096=perlquestion: print w/ replies, xml ) Need Help??
crazyinsomniac has asked for the wisdom of the Perl Monks concerning the following question:

How safe is Safe.pm?

Recently, deciding to do some improvements to RegexLab, I decided Safe be best employed, so I did a quick search on perlmonks and came accross

How to use LWP::Simpe inside a safe compartment? (unresolved - probably need to permit some network opcodes)
use Safe and CGI; (a nice little demo)
The proper use of Safe(lesson: lexicals ain't globals)
How Safe is Safe::? (warranty discussion - not related)
Known security issues with Safe.pm? is right on topic, but there is no answer ( and my question is more to the comments of ask ).
Mileage with safe, Perl sandbox, Safe / @ISA Problem

Now I come accross Safe.pm is not safe in which ask says

By returning the right values from the safe compartment it's quite possibly to "break out" of it.
and someone in the cb said the same thing (Safe isn't truly safe), so can somebody explain to me why/how?

Code examples work best.

P.S.

I am aware of Safe::Hole. I did search perlmonks for previous discussion ask mentions that discuss the insecurity of Safe.pm, but turned up nothing.

 
______crazyinsomniac_____________________________
Of all the things I've lost, I miss my mind the most.
perl -e "$q=$_;map({chr unpack qq;H*;,$_}split(q;;,q*H*));print;$q/$q;"

Comment on Is Safe.pm unsafe?
Re: Is Safe.pm unsafe?
by jlongino (Parson) on May 13, 2002 at 06:14 UTC
    Let me preface this by saying that I've hardly touched Safe.pm. In fact, my reply to one of the links you noted was the first and only time I used it. I hope that what I present below is not out of context. As usual, please correct me where necessary.

    From what browsing I've done, Safe.pm doesn't seem to have been improved upon anytime lately. Although my post doesn't answer you questions about being safe or not, it does point out that it may have other problems. I came across this thread between Tim Bunce and Jarkko Hietaniemi from 7-2001:

    TB: Many people who use, or try to use, Safe could get by with the ops pragma
    (which is why I separated the ops filter logic from Safe many moons ago).

    JH: Is this still true in the days of SOAP, XML-RPC and... insert buzzword here?

    TB: Perhaps less so, but Safe is still (from memory) fairly broken/limited in assorted dimensions many of which can't be fixed before perl6 and the others probably need a rewrite (probably to use ithreads).

    This view seems to be mirrored by a few other non-PM search results, but were not from as well-known figures. Unfortunately, they leave us to our own imaginations as to what these dimensions might be.

    --Jim

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://166096]
Approved by erikharrison
Front-paged by samtregar
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (12)
As of 2014-10-31 13:04 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (217 votes), past polls