[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Data::Dumper, eval and taint




On Fri, 22 Sep 2000, Andrew O. Mellinger wrote:

>    I would like to use data dumper to store datafiles.  The idea is 
> then to load the info in (through eval) and pass it on to 
> HTML::Template for display.  However, taint really doesn't like eval, 
> and I'm trying to find a simple way to make sure the data is clean, 
> instead of going on faith.  Any ideas?

If it is really data, why do you need to eval it?  Why not just read in a 
file or tie a DB?

If the issue is whether the data is well-formed, you should be able to get
around the eval limitations, and taint is probably too strict a check to
use, anyway.

On the other hand, if the issue is whether a user has deliberately entered
bad data, then you shouldn't untaint it.  You probably should separate
your code (the eval part) from the user data (the potentially malicious
stuff), by reading and writing a data-only file.

There is no way AFAIK to programmatically generate trust in code, only in
data passed to code.  "Tainted" code can only be walled off and limited.

--
MattLangford 


# ===== Want to unsubscribe from this list?
# ===== Send mail with body "unsubscribe" to macperl-request@macperl.org