http://www.perlmonks.org?node_id=37204

Time and time again, we hear Monks admonish others that they should use strict;. Well, here's a great example why.

Routinely, I see in people's code use strict; with no strict 'refs'; later in the code. Typically, when I see this, my mind screams "Danger, Will Robinson, Danger!" (which is rather odd as my given name is actually "Curtis"). Consider the following code that I ran across today:

if ($main::stateIn{'sibling'}) { no strict 'refs'; &{$main::stateIn{'sibling'}}(); }
First, the $main::stateIn{} hash is fully qualified because the developer apparently didn't know the difference between package and lexical variables. Second, $main::stateIn{} is how he gets the CGI parameters. Yup, you guessed it! He wrote a broken alternative to CGI.pm. See this link for an explanation why most alternatives to CGI.pm are flawed. In this case, the developer's alternative had all of the classic errors detailed in the aforementioned link. However, what we're really interested in is the following line:
&{$main::stateIn{'sibling'}}();
Since the developer had no strict 'refs'; before this, and since the developer also didn't bother to employ taint checking, that snippet above will allow a cracker to execute any frickin' subroutine they want so long as the main program can call it. The program in question uses many different modules which, in turn, use other modules. There are literally hundreds of different subs that could be called, with unknown consequences. Admittedly, you can't pass any params to those subs, but that's one HECK of a security hole.

Just use strict; folks.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just go the the link and check out our stats.