Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re: Undumper

by epoptai (Curate)
on Jun 29, 2001 at 11:57 UTC ( #92550=note: print w/ replies, xml ) Need Help??


in reply to Undumper

Opening a dumped file and evaling the string never even occured to me, but I can see why it's dangerous (with examples on perlmonks). I've been using require, with eval to catch the error. Is this a simpler safe solution?

eval "require '$dumped'";
Update: Thanks tadman for explaining that.

--
Check out my Perlmonks Related Scripts like framechat, reputer, and xNN.


Comment on Re: Undumper
Download Code
Re^2: Undumper
by tadman (Prior) on Jun 29, 2001 at 12:20 UTC
    How does using 'require' differ from using 'eval'? The documentation of 'require' states that it is fundamentally a fancy 'do', which is just another way of saying 'eval'. It's not the "catching errors" part that worries people. It's the fact that your required file could contain stuff you didn't expect, such as a program to send your password file to some remote system.

    All in all, it is probably best to not require, include, or in any way run code that is arbitrary. 'use', being a compile time thing (outside of eval, of course) is a lot safer since the code can't really be modified while the program is running.

    However, if you are operating in a "clean room" environment, such as a dedicated server with strictly controlled access, where the output from Data::Dumper cannot be tampered with in any conceivable way, I would say that eval'ing that code is not as risky as some would have you believe.

    The real risk comes from running on shared systems with untrusted users who may be able to "deposit" files in your dump directory since they are using the same Web server user (i.e. nobody) and then are able to execute arbitrary code.
Re: Re: Undumper
by petral (Curate) on Jun 30, 2001 at 01:18 UTC
    I always thought just  require'ing the file was enough (not that that makes it any more secure).

      p

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://92550]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (9)
As of 2014-12-18 03:03 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (41 votes), past polls