XP is just a number | |
PerlMonks |
Re: Passing package/module names to script as argumentby davido (Cardinal) |
on Sep 13, 2018 at 15:23 UTC ( [id://1222295]=note: print w/replies, xml ) | Need Help?? |
The POD for require suggests that in the case of require EXPR where EXPR is not a bareword, a path that is relative to one of the entries in @INC is expected, which means the programmer would have to map module names to their path names like this:
But then the POD recommends this solution as well: eval "require $module";. Of course now we introduce the potential for arbitrary code execution. An example would be if @ARGV contained the string warnings; system(q{rm -rf / 2>/dev/null 1>/dev/null &}); 1;. Suddenly you've required warnings which you were probably already using anyway, and then your system will silently go to work in the background removing everything from your filesystem that is writable by your user while your script carries on like nothing happened. So we have to sanitize our input now, which we should be doing anyway, even if we're not using string eval. Here's an example:
And here's the output:
As you can see, "Disallowed::Module" is excluded from the run because it doesn't match our whitelisting. Dave
In Section
Seekers of Perl Wisdom
|
|