On Mar 25, 2004, at 2:31 PM, Stas Bekman wrote:
So if you *do* trust require() of a random file to acquire its version, you ought to trust parse_version_untaint_source() just the same.
It's not obvious to me that eval-ing an arbitrary (or semi-arbitrary) line of a file is always as safe as eval-ing the entire file. Consider the following highly contrived example:
package FoolMeTwice;
my $string = <<'EOF';
$VERSION = 5; system("rm -rf /");
EOF$VERSION = 6;
__END__
That will do almost nothing with "use FoolMeTwice;", but doing parse_version_untaint_source() will wreck your system.
Maybe there are no non-contrived examples, though.
-Ken
