[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] How do you use Safe.pm?



At 04.33 10/23/97, Philippe de Rochambeau wrote:
>Lamp type:<SELECT
>NAME="type"><OPTION>halogen<OPTION>street-lamp<OPTION>lamp</SELECT>
>
>Style :<SELECT
>NAME="style"><OPTION>Louis-XVI<OPTION>Louis-XVII<OPTION>Louis-XVIII</SELECT>
>
>Height   <SELECT NAME="opHeight">
>                <OPTION> >
>                <OPTION> <
>                <OPTION> =
></SELECT>
><INPUT TYPE=TEXT NAME="height" VALUE="0">

At 11.54 10/23/97, Mark F. Murphy wrote:
>At 9:33 AM +0100 10/23/97, Philippe de Rochambeau wrote:
>>I have read in various Perl books that eval should be used in CGI
>>scripts because they are unsafe.
>
>Eval's not unsafe for common CGI stuff.  It's unsafe if you get code from
>*outside* your own safe environment and try to eval it.  In other words...
>if you get a string from *somewhere* and eval it it... you have no idea
>what the outside source is having you eval.
>
>However since you're using known options, I don't see anything too
>dangerous in your example.

Well, except that someone could copy his use LWP (or simply copy his HTML source) and change the values of the parameters and send that to the CGI script.  Purty dangerous.

--
Chris Nandor               pudge@pobox.com           http://pudge.net/
%PGPKey=('B76E72AD',[1024,'0824 090B CE73 CA10  1FF7 7F13 8180 B6B6'])
#==                    MacPerl: Power and Ease                     ==#
#==    Publishing Date: Early 1998. http://www.ptf.com/macperl/    ==#



***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch