[EMAIL PROTECTED] wrote:
> Yes, I understood that in the very first email you adviced me to use eval. In fact,
> I replied to you saying that the script printed the error and PerlIS did not hang.
> But... what if I have dozens of scripts I have coded in years and all of them use
> one or more lines of "require"? do I have to recode all of those scripts that worked
> just fine on every earlier version of Perl just because of this bug? Well, Im not
> sure if this is a bug, but it is very annoying. :)
>
> To put this more visible. Some of my scripts call external files depending on query
> string.
> For example, if you type http://myhost/script.pl?page=start
> then start.ext is required from scripts.pl using:
>
> $page=param('page');
> require $page;
>
> So if some visitor, just for curiosity or for fun, types
> http://myhost/script.pl?page=kakahs7ehendn (which does not exist) then with this
> error Perl is throwing on this version, the user would crash the server instead of
> receiving an error like "kakahs7ehendn.ext was not found in @INC". See what I mean?
It would be silly to allow a user supplied parameter to cause your script to fail.
You could easily check the parameter before actually using it in a do/require.
eg: if (-f "$page.ext") { do $page; } # check for plain file before using
You should probably also make sure you remove any /s etc from a path before
shelling out or using that path in a manner that would allow the user to
access other directories on the computer. An ideal solution would be to
have a list of all the possible allowed pages in a hash anbd check for
existence in the hash.
Lack of defensive coding can only hurt you in the long run.
> Also, imagine that I have no admin control over the server my scripts are running
> and this happened? what could I do? The would I have to fix every script I have
> coded before because I didn't use eval? I mean, is it normal to enclose require with
> eval? I have seen a lot of other people's scripts and none of them use eval when
> requiring an external file.
>
> That is my point and the real reason why I posted this. Is that I dont get why
> PerlIS behaves like this in this version when earlier versions didnt act like this.
> I have never enclosed "require" lines with "eval" before and PerlIS never did this
> even if I didnt use "eval".
--
,-/- __ _ _ $Bill Luebkert Mailto:[EMAIL PROTECTED]
(_/ / ) // // DBE Collectibles Mailto:[EMAIL PROTECTED]
/ ) /--< o // // Castle of Medieval Myth & Magic http://www.todbe.com/
-/-' /___/_<_</_</_ http://dbecoll.tripod.com/ (My Perl/Lakers stuff)
_______________________________________________
Perl-Win32-Users mailing list
[EMAIL PROTECTED]
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
