On Thu, 11 Mar 2004, Randal L. Schwartz wrote:
> Just run the regex matching inside a Safe compartment. Safe isn't
> *perfect*, but it's better than an 80/20 solution.
I started replacing the 'replace' method using the Safe module
'replace' => sub {
my ($str, $search, $replace) = @_;
$replace = '' unless defined $replace;
return $str unless defined $str and defined $search;
#### old
# $str =~ s/$search/$replace/g;
##### new
use Safe;
my $compartment = new Safe 'Replace';
$Replace::str = $str;
$compartment->reval("\$str =~ s^a$search^areplace^ag");
$str= $Replace::str;
####
return $str;
},
(where ^a means control-A)
and it forbids the "system" interpolation.
Now the question is: which are the dangerous methods that have to be
secured?
In my opinion the "secure" option should be included in the tt3 version.
--
Franco Bagnoli (franchino) <[EMAIL PROTECTED]> ([EMAIL PROTECTED])
virtual location: Dipartimento di Energetica "S. Stecco"
ultra-virtual affiliation: Centro Dinamiche Complesse (CSDC-Firenze)
real location: Dip. Matematica Applicata "G. Sansone", Universita' Firenze,
Via S. Marta, 3 I-50139 Firenze, Italy. Tel. +39 0554796422, fax: +39 055471787
_______________________________________________
templates mailing list
[EMAIL PROTECTED]
http://lists.template-toolkit.org/mailman/listinfo/templates
