[diarmuid, please don't forget to Reply-All and CC the list on your follow
ups]
my $q = new CGI;
my $action = 'SchoolWeb::Actions::' . ($q->param('action') || 'Index');
eval "use $action";
When you eval you need to check $@ for errors. See 'perldoc -f eval' for
more information.
ok...i've done this, but it now complains on somei modules not being found
e.g.
EVAL: Can't locate SchoolWeb/Actions/ManageFiles.pm in @INC
[EMAIL PROTECTED] Actions]# ls -l
/srv/www/admin.schoolweb.ie/perl/SchoolWeb/Actions/ManageFiles.pm
-rwxr-xr-x 1 diarmuid apache 6346 May 27 08:58
/srv/www/admin.schoolweb.ie/perl/SchoolWeb/Actions/ManageFiles.pm
[EMAIL PROTECTED] Actions]#
use lib '/srv/www/admin.schoolweb.ie/perl';
You need to show a complete error message, not a part of it. It's possible
that you have a permission problem. Check that the username you run apache
with can read those files (you could su(1) to that user, and try to cat(1)
the .pm file, for example)
Besides, that code sample is a very very very bad idea. As you eval a
non-trusted code. You can be hurt. Badly.
I would have thought it ok since the SchoolWeb::Actions prefix is there? is
there a better way around trying to dynamically load my modules?
watch this:
$q->param('action' => 'ManageFiles; qx[rm -rf /]')
my $action = 'SchoolWeb::Actions::' . ($q->param('action'));
eval "use $action";
say bye bye to quite a few of your files writable by the user you run
apache with.
To make it safely you could for example have a hash of valid names and
check that $action is in that hash before evalling it.
Make sure to turn the taint mode (PerlOptions -T in mp2, TaintMode On in
mp1) and fix your code to untaint your code before eval'ing it.
How do i taint check my code as in my example?
http://perl.apache.org/search/swish.cgi?query=taint&sbm=&submit=search
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
