http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8015
--- Comment #128 from Jared Camins-Esakov <[email protected]> --- (In reply to Paul Poulain from comment #127) > Katrin, please reconsider your position = this improvement is very important > for libraries, much more than a technical perlcritic violation. > My opinion here is that we must decide that the user interest is more > important than this single violation. > (the law must serve us, we must not serve the law) This is not a minor violation. As far as I can tell, there is unsanitized user input being run directly. Consider the following code: eval { $eval }; != eval $eval; my $r = q|/foo/fee/; print "hi";|; my @values = ("foo", "bar", "foobar"); for my $v ( @values ) { eval {"\$v =~ s$r"}; say $v; eval "\$v =~ s$r"; say $v; } Result: "hi" is printed by each eval. This example is fairly benign, but what if the regex were as follows: my $r = q|/whatever/something/; require C4::Context; $dbh = C4::Context->dbh; $dbh->do("DELETE FROM issues;")|; I was unable to test this example, since I couldn't get MARC modification templates to work during a cursory test, but I'm sure you see my point. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
