Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Perl 6 strings, interpolation and templates?

by BerntB (Deacon)
on Mar 15, 2009 at 00:00 UTC ( #750686=perlquestion: print w/replies, xml ) Need Help??

BerntB has asked for the wisdom of the Perl Monks concerning the following question:

I thought it is high time to ask my first Perl 6 question on PerlMonks, so... :-)

On http://planet.perl.org, Gabor Szabo is posting introductory material on Perl 6, here is a post about strings in Perl 6. I must be missing something? One of the examples are:

say "Hello { join(', ', @names) } how are you?";

Evaluating code in strings seems ripe for exploitation by any form of templating code which reads strings from files to print them? Is this handled with some kind of tainting functionality in Perl 6?

(There is similar evaluation of code in Perl 5's regexps, but they have security handling for just this.)

Replies are listed 'Best First'.
Re: Perl 6 strings, interpolation and templates?
by ikegami (Pope) on Mar 15, 2009 at 00:33 UTC
    You can already do that in Perl 5:
    say "Hello @{[ join(', ', @names) ]} how are you?";

    There's no security issue because it's not say that causes the interpolation, it's the string literal. And it's no more possible for someone to provide a string literal as they could provide a for loop.

    use strict; use warnings; use 5.010; my @names = qw( ikegami ); say "Hello @{[ join(', ', @names) ]} how are you?"; my $user_input = q{Hello @{[ join(', ', @names) ]} how are you?}; say $user_input;
    Hello ikegami how are you? Hello @{[ join(', ', @names) ]} how are you?

      Ah yes, 5.10... version limitations at work means that I've not read the perldoc for it yet. :-(

      Thanks. Sorry for stupid q.

        It's just the say that's 5.10 specific here... the interpolation mechanism already worked like this before...

        (This is just array interpolation with an anonymous array — in between the [...] can go arbitrary code.)

Re: Perl 6 strings, interpolation and templates?
by moritz (Cardinal) on Mar 15, 2009 at 18:14 UTC
    Evaluating code in strings seems ripe for exploitation by any form of templating code which reads strings from files to print them?

    No, the interpolation only happens when you eval the string, not when you read it.

      Thanks, but I wrote a stupid question, but not that stupid. :-)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://750686]
Approved by Limbic~Region
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (2)
As of 2020-12-05 12:39 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    How often do you use taint mode?





    Results (63 votes). Check out past polls.

    Notices?