BEGIN and use are each run immediately upon sight.
Looking at the TinyWiki code I linked from my initial
reply, you'll see the "use ops" strategically located -
before it are subs defined that I want to provide
priviledged fascilities and have input validation built in.
Beyond it is code that doesn't require priviledge and
things that result in evals, including evals of code
in pages. To generalize, put the use ops line before
unsane things. If someone can insert a BEGIN block with
arbitrary contents into the code, then they could just
delete the use ops line, too, couldn't they? Doing use ops
then requiring another file, or using another file on
a subsequent line is safe. Of course the main code
would be seperate from sandboxed code. The priviledged
conde contains the sandboxed code - not vice versa.
Look no further than the Safe manual page for examples.
But this is far afield - the original question was
whether or not Safe "thwarts" attacks. I'm not even talking
about Safe.pm here. I only mentioned ops.pm because my
experience is with it and I had a few footnotes to offer
on it, but even with the additional safety afforded,
I wanted to point out to the original author that
it wasn't the correct idiom. The additional safety
was too complex to implement, not completely trust-worthy,
and there are better ways to do what he wants to do.
-scott | [reply] |
