"Randal L. Schwartz" wrote:
> Use Template Toolkit, and disable the "EVAL_PERL" option for their space.
> Set up Plugins and Filters that call your Cool Perl Code.
> Then they write arbitary text files to be delivered...
Suppose it were possible to set Perl-based modules to work the same way
C modules currently do (in the sense that they let you offer developers,
users, etc. access to the module without letting them execute arbitrary
code on the server). Would you agree that this would be a good thing?
Your solution above is great. But it's another one of those "I have a
workaround" suggestions.
I wonder if there is a way to skip the workarounds.
If there is, would you agree that it would be a good (no, wonderful)
thing?
And would you agree that, if it's possible to do it, mod_perl would be
more useful if it were set up in such a way that merely enabling it
didn't essentially give everyone with access to the webserver's docroot
the ability to execute arbitrary Perl?
I'm interested in knowing what's possible here. My knowledge of mod_
perl right now is pretty good, from a module developer's standpoint.
I'm just not familiar enough (yet) with its internals to be able to
think and speak creatively about the security possibilities.
--
Richard Goerwitz [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
