[EMAIL PROTECTED] (Christopher Lee) wrote:
>There's a real live working example if anybody wants it, called "Wing",
>available from your local friendly CPAN.
>
>The module is used as an IMAP interface but the main module handles everything
>except logins, the url is used to pass commands around, the one I'm looking at
>at the moment is
>
>http://server1.herald.ox.ac.uk/wing/cmd/ball0000/x/compose
>
>The "wing/cmd" tells the module that this is a call for the function called
>(in this case) "cmd_compose" with the parameters "ball0000" (a username)
>(x is a dummy used for other functions I think).
>
>Internally the module takes 'compose' and prefixes it with 'cmd_',
>evals the string as a soft reference to a function and returns an error
>code if the function doesn't exist, or runs the function if it does.
>
>It only lets a strict subset of functions run (it always appends a "cmd_" to
>the name) so internal functions are safe .
That step is *crucial* to the security of the system. Without it,
browsers could call any method in the module, including ones that aren't
meant to be called. D, W.R.!
By specifying the cmd_ prefix you're essentially adding a "public"
declaration to these subroutines, albeit a fairly ugly one.
In general, when accepting arbitrary user input you want to make sure
there are only a very few access points to the code, then make sure you
have very tight validation of the data in those access points. Taint
mode comes to mind as one tool in the belt.
------------------- -------------------
Ken Williams Last Bastion of Euclidity
[EMAIL PROTECTED] The Math Forum
