Jozef Kutej <jo...@kutej.net> writes:
> Ansgar Burchardt wrote:
>> A YAML file can call constructors for all loaded modules? That would
>
> no, not constructors, there is even no way of knowing what is the name
> of constructor, but even just by loading a module it is code
> execution. mostly the code that makes the initialization and
> import().
That can still result in interesting behaviour together with
overloading. For example the attached program will access the Internet
and the value of $data->{foo}->{content} can change between the two
print statements (influenced by whoever operates the server).
This just waits for somebody to find a way to abuse this...
Regards,
Ansgar
#! /usr/bin/perl
package Foo;
use overload '%{}' => \&f;
use LWP::Simple;
sub new {
bless shift;
}
sub f {
my $self = shift;
bless $self, 'overload::dummy';
my $content = get($self->{url});
bless $self, 'Foo';
return { content => $content };
}
1;
package main;
use YAML::Syck;
my $foo = Foo::new { url => "http://www.google.com/"; };
my $data = LoadFile(\*DATA);
# validate data
print $data->{foo}->{content};
# now do something with the validated data
print $data->{foo}->{content};
1;
__DATA__
---
foo: !perl/Foo
url: http://www.example.org/
