Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

Re: "Dynamic" dispatch tables

by mr_mischief (Monsignor)
on Apr 29, 2011 at 18:14 UTC ( #902052=note: print w/replies, xml ) Need Help??

in reply to "Dynamic" dispatch tables

All interactive software tends to run different subs based on user input in some way. There's no security issue with that per se. Where there's a security issue is making a system call with user-supplied data or executing code received as user-supplied data. If one of your subroutines makes a change to part of the system outside your program, you need to be very sure what kinds of changes it can make given the inputs which are allowed to change its behavior.

Replies are listed 'Best First'.
Re^2: "Dynamic" dispatch tables
by elTriberium (Friar) on Apr 29, 2011 at 18:20 UTC
    Right, that's the part where user input becomes code in my original post:
    $dispatch_table{$tc} = sub {eval "tcid_$tc()"},
    $tc is a value entered by the user. I'm dynamically creating the sub name tcid_$tc based on that input. Since this is in an eval, there are of course bad things a user could do here (like supplying --tcid 1;<bad code here>), but since this code will never be released to the public I don't see this as a big issue. And of course I can add some additional parsing for example that a tcid is only \d+ and nothing else.
      Well, if the only people running the code would also have access to alter the code then you're not really protecting the system from anything but an accident.
        OK, good point, thanks.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://902052]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (3)
As of 2018-02-18 04:12 GMT
Find Nodes?
    Voting Booth?
    When it is dark outside I am happiest to see ...

    Results (250 votes). Check out past polls.