On 2017-05-30 03:49 PM, Dirk-Willem van Gulik wrote:
On 30 May 2017, at 16:43, John Dunlap <j...@lariat.co
<mailto:j...@lariat.co>> wrote:
How is it a security hole?
….
> my $ret = eval { $m->...() };
Just imagine $m->…() returning something containing a valid perl
expression such as " `rm -rf /‘; “, system(“rm -rf /“); or something
that wires up a shell to a TCP socket.
Dw.
But that isn't how it works - the "{" "}" brace means $m->...() is run -
but the output is trapped... the two types of eval are different....
--
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
