I did. Or at least I tried. His webform was throwing errors, so I ended up sending it to the email address given with the error message.
Here is the text of the message that I sent to him:
Hello,
Earlier today I noticed that you have code in your Makefile.PLs that inclues and evals code served up from perl.4pro.com. While I am sure that you don't mean any harm in doing this, it nonetheless opens up several security holes.
For example, if your site were to be cracked, the intruder could insert code that would be run by any person installing your module. and many people install perl modules as root.
And then there is the issue of trust. How do I know that you are not changing the output of the file based on domain name of the person requesting the file? As a proof of concept, I wrote up a little script which illustrates my point:
http://www.remotelinux.com/rlippan/irony.cgi
And to see it in action:
http://www.remotelinux.com/rlippan/irony
If you are not comming from 4pro.net, You can add domains to the list of evil_domains by passing in ?evil_domain=domain.dom
Thank you for your time,
Rudolf Lippan.
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|
