Perl-Sensitive Sunglasses | |
PerlMonks |
Is this dispatch code insecure?by Tommy (Chaplain) |
on Feb 20, 2014 at 00:53 UTC ( [id://1075526]=perlquestion: print w/replies, xml ) | Need Help?? |
Tommy has asked for the wisdom of the Perl Monks concerning the following question: I'm worried about $self->can( $user_input ) and what it might allow. Should I maintain a registry of allowed "actions" to which my dispatcher is allowed to route? Or is this good enough? I'm only taking input on AES-encrypted sockets from trusted sources, but in practice... it seems like this could allow a user to call _build_dispatcher for example.
I've considered taking queues from Catalyst and using subroutine attributes such that unless a given method has a attribute of :Public ... then I won't allow the call to it. But attributes are ugly right? Hmmmm.
Tommy A mistake can be valuable or costly, depending on how faithfully you pursue correction
Back to
Seekers of Perl Wisdom
|
|