Re: re initialize a namespace

Sat, 13 Dec 2003 14:24:44 -0800

[CC'ing Lincoln on this one]

Chris Ochs wrote: 
I am using CGI.pm with mod perl, and simply because I hate using
$q->param('var') I use $q->import_names('CGI') so I can reference the post
variables as $CGI::var.  CGI.pm does not clear this namespace and I am not
sure of the best way to clear an entire namespace.  Any ideas?

CGI.pm does cleanup imported vars (I don't know why doesn't it work for you):

sub import_names {
    my($self,$namespace,$delete) = self_or_default(@_);
    $namespace = 'Q' unless defined($namespace);
    die "Can't import names into \"main\"\n" if \%{"${namespace}::"} == \%::;
    if ($delete || $MOD_PERL || exists $ENV{'FCGI_ROLE'}) {
        # can anyone find an easier way to do this?
        foreach (keys %{"${namespace}::"}) {
            local *symbol = "${namespace}::${_}";
            undef $symbol;
            undef @symbol;
            undef %symbol;
        }
    }
    my($param,@value,$var);
    foreach $param ($self->param) {
        # protect against silly names
        ($var = $param)=~tr/a-zA-Z0-9_/_/c;
        $var =~ s/^(?=\d)/_/;
        local *symbol = "${namespace}::$var";
        @value = $self->param($param);
        @symbol = @value;
        $symbol = $value[0];
    }
}

Though looking at your example, where you use $q->import_names('CGI') instead of the default 'Q', it seems to be a bad idea, since CGI.pm blindly nukes all vars in any given namespace, including variables which weren't imported. Since you have called $q->import_names('CGI') it's going to nuke things like $CGI::VERSION and many other CGI:: variables that it needs to operate properly.

I think CGI.pm needs to maintain a global list of vars that it has imported and only undef them. Even that's troublesome - if a malicious user changes the query string to include VERSION=234, it'll override the real $CGI::VERSION. Same goes for many other internal variables. It's quite possible that some can find security issues with this functionality.

At the very least CGI.pm, shouldn't allow using 'CGI' as the namespace for importing names.

__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com


--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html

Reply via email to