On Tue, Apr 24, 2001 at 09:47:21AM -0700, Gisle Aas wrote:
> > 234c234,235
> > < my $netloc = $request->url->host_port;
> > ---
> > > my $ru = $request->url;
> > > my $netloc = $ru->can('host_port') ? $ru->host_port : $ru->host;
>
> Not all URIs have a 'host' method either. I think simply making it:
>
> $netloc = eval { $ru->host_port };
>
> should do.
If eval{}ing arbitrary URIs is safe ... what happens on the 'URI'
http://$usersuppliedvalue/
? I'd have to check this particular case ... LWP promise in general
to avoid exploits of this nature?
> But then we have the $SIG{__DIE__} stupidity which makes it:
>
> $netloc = eval { local $SIG{__DIE__}; $ru->host_port };
That's nice enough, if eval{} really doesn't lead to exploitable URIs.
--
Reinier
