1) Passing a block(as opposed to a string) is no more dangerous than
executing the same code outside of eval. For example,
my $success = eval {
my %member_hash;
my $member_hash;
my $member_Co;
foreach (@memb) {
# Fetch entry.
my $entry2 = $m->comp("/widgets/ldap/dn2entry.mpl",
ldap => $ldap,
dn => $_,
opts => {control => $control}, # Important!
);
$member_Co = $entry2->get_value('company');
}
return 1;
};
if (!$success) {
warn "ERROR: $@";
}
On Wed, May 31, 2017 at 12:38 PM, Hiram Gibbard <[email protected]> wrote:
> So when we say "from the internet" does that include intranet? What I
> have is a form that lists all the members of a group defined in LDAP. The
> call to get the members for the group is all internal and our companies
> internal ldap server. is that considered "from internet". I didn't write
> this app, just trying to make adjustments. Currently if you hit a member of
> the group that has been terminated/removed from ldap, the app errors out
> because the its it a member of the group in which its trying to execute a
> look on while listing.
>
> my %member_hash;
> my $member_hash;
> my $member_Co;
> foreach (@memb) {
> # Fetch entry.
>
> my $entry2 = $m->comp("/widgets/ldap/dn2entry.mpl",
> ldap => $ldap,
> dn => $_,
> opts => {control => $control}, # Important!
> );
>
> $member_Co = $entry2->get_value('company');
>
> }
>
> 1. Is it a security issue to wrap $entry2 code in a eval { } statement?
> 2. I'm thinking there is a better way to do this because (code wise)
> becuase ever since i put the eval {} in place (in dev env), groups with
> thousands of members takes a very long time to display.
>
>
> here is the code for dn2entry.mpl:
>
>
>
>
> On Tue, May 30, 2017 at 3:13 PM, John Dunlap <[email protected]> wrote:
>
>> Okay, I can see that but we were talking specifically about eval. So, my
>> examples were intended to showcase the two ways that eval can be called and
>> not how to safely obtain data from the internet.
>>
>> On Tue, May 30, 2017 at 4:06 PM, Ruben Safir <[email protected]> wrote:
>>
>>> On 05/30/2017 04:04 PM, John Dunlap wrote:
>>> > In that example, the contents of $data are never evaluated by eval so
>>> > even if it can be "smashed"(whatever that means) eval would have
>>> nothing
>>> > to do with the failure.
>>>
>>>
>>> it means your bringing in data without a limit and you can smash the
>>> stack like that and I've seen this kind of code do just that.
>>>
>>> That is not just an issue for eval...
>>>
>>>
>>>
>>> --
>>> So many immigrant groups have swept through our town
>>> that Brooklyn, like Atlantis, reaches mythological
>>> proportions in the mind of the world - RI Safir 1998
>>> http://www.mrbrklyn.com
>>>
>>> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
>>> http://www.nylxs.com - Leadership Development in Free Software
>>> http://www2.mrbrklyn.com/resources - Unpublished Archive
>>> http://www.coinhangout.com - coins!
>>> http://www.brooklyn-living.com
>>>
>>> Being so tracked is for FARM ANIMALS and and extermination camps,
>>> but incompatible with living as a free human being. -RI Safir 2013
>>>
>>
>>
>>
>> --
>> John Dunlap
>> *CTO | Lariat *
>>
>> *Direct:*
>> *[email protected] <[email protected]>*
>>
>> *Customer Service:*
>> 877.268.6667
>> [email protected]
>>
>
>
>
> --
> Hiram Gibbard
> [email protected]
> http://hiramgibbard.com
>
>
--
John Dunlap
*CTO | Lariat *
*Direct:*
*[email protected] <[email protected]>*
*Customer Service:*
877.268.6667
[email protected]
