# New Ticket Created by Zoffix Znet # Please include the string: [perl #128283] # in the subject line of all future correspondence about this issue. # <URL: https://rt.perl.org/Ticket/Display.html?id=128283 >
The operators for `cmp-ok` subroutine can be given as strings or as Callables. The problem with strings is the subroutine evals them as EVAL "&infix:<$op>" and the current implementation makes it impossible to use, say '<' as an operator: <Zoffix> m: use Test; cmp-ok 2, '<', 5, 'seems sane'; <camelia> rakudo-moar beb3c9: OUTPUT«not ok 1 - seems sane# Failed test 'seems sane'# at /tmp/kqui3siS7u line 1# Could not use '<' as a comparator» It does work with &[<] instead of '<' and considering that's only 1 character longer and there's no 100% clean way to allow any op in a string, I propose we ditch the string version entirely. While I don't know anything about SETTINGS, the current implementation also has a security hole, at least in camelia where `run`, while restricted in general code, is given a free pass when injected inside the string comparator passed to cmp-ok: <Zoffix> m: run "ls" <camelia> rakudo-moar beb3c9: OUTPUT«run is disallowed in restricted setting in sub restricted at src/RESTRICTED.setting line 1 in sub run at src/RESTRICTED.setting line 14 in block <unit> at /tmp/wWcCMBi30n line 1» <Zoffix> m: use Test; cmp-ok '', '~~>;warn run "ls"; <z', '', ''; <camelia> rakudo-moar beb3c9: OUTPUT«Perlitodalek-queueevalbotevalbot.logfooliblogmboxnqp-jsp1p2p6eval-tokenperl5rakudo-j-1rakudo-j-2rakudo-j-instrakudo-j-inst-1rakudo-j-inst-2rakudo-m-1rakudo-m-2rakudo-m-instrakudo-m-inst-1rak…»