comment on

I'll preface my remarks by noting that I'm not an expert on Safe.pm nor mod_perl, so don't be too surprised if I'm mistaken on some points.

If you store anything in global variables (such as a database module that stores the database connection in a package global), then those can be accessed under such a scheme. Since you are using mod_perl, this becomes rather likely as file-scoped lexicals don't play well with mod_perl and that leads to using package globals.

I wonder if this setup prevents the use of things like Win32::TieRegistry and Win32API::File which would let your users do all sorts of system damage if on Win32 but that don't use things like open that Safe.pm would know to lock up. There may be other similar modules such that non-Win32 system would be similarly vulnerable.

I also suggest you search for information on the current state of the art of Safe.pm. I vaguely recall people finding ways around its protections.

- tye (but my friends call me "Tye")

In reply to (tye)Re: Safe module security and emebeded perl by tye
in thread Safe module security and emebeded perl by gildir

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


laziness, impatience, and hubris
	PerlMonks