How so? How would an attacker exploit it?

On Tue, May 30, 2017 at 10:46 AM, Ruben Safir <ru...@mrbrklyn.com> wrote:

> Using eval is an unacceptable security bug for all online and public
> access programs that aquire data from external non-secured sources.
>
>
>
> On Tue, May 30, 2017 at 09:39:53AM -0400, John Dunlap wrote:
> > Yes, I do that extensively and it works perfectly. It's as close to a
> true
> > Try/Catch block as we have in the perl world. However, I *usually* do not
> > return values from it because I use this construct to control my database
> > transaction demarcation and using the return value from outside of the
> eval
> > wouldn't be inside the transaction. With that said, I have had to do it
> > from time to time and it works just fine. Also, it is advisable to copy
> the
> > contents of $@ into a separate variable immediately. My understanding is
> > that this can prevent some weird concurrency issues, under some
> conditions.
> > My general form looks something like this,
> >
> > my $return = eval {
> >     # BEGIN DATABASE TRANSACTION
> >
> >     # DO SOME STUFF
> >
> >     # COMMIT DATA BASE TRANSACTION
> >
> >     return 'SOME VALUE';
> > };
> >
> > if ($@) {
> >     my $error = $@;
> >
> >     # ROLLBACK DATABASE TRANSACTION
> >
> >     # LOG ERROR
> > }
> >
> >
> > On Tue, May 30, 2017 at 4:47 AM, James Smith <j...@sanger.ac.uk> wrote:
> >
> > > Not really a mod_perl question but you can always wrap your method
> call in
> > > an eval
> > >
> > > my $ret = eval { $m->...() };
> > >
> > > And then check $@ for the error message
> > >
> > >
> > > On 2017-05-26 02:08 AM, Peng Yonghua wrote:
> > >
> > >> greeting,
> > >>
> > >> I am not so good at perl/modperl,:)
> > >>
> > >> In the handler, a method from a class was called, when something dies
> > >> from within the method, what's the correct way the handler will take?
> > >>
> > >> for example, I wrote this API which works right if given a correct
> domain
> > >> name:
> > >>
> > >> http://fenghe.org/domain/?d=yahoo.com
> > >>
> > >> server response:
> > >> var data={"registration":"domain may be taken","domain":"yahoo.com"}
> > >>
> > >> If given a wrong domain name:
> > >>
> > >> http://fenghe.org/domain/?d=yahoo.nonexist
> > >>
> > >> The server returns 500.
> > >>
> > >> This is because, in the handler, I used this module (wrote also by
> me):
> > >>
> > >> http://search.cpan.org/~pyh/Net-Domain-Registration-Check-0.
> > >> 03/lib/Net/Domain/Registration/Check.pm
> > >>
> > >> And in the module, croak like this was happened,
> > >>
> > >> croak "domain TLD not exists" unless tld_exists($tld);
> > >>
> > >> When handler meets the croak, it dies (I guess) and server returns
> 500.
> > >>
> > >> How will I make the full system work right? fix on handler, or the
> module
> > >> itself?
> > >>
> > >> Thanks.
> > >>
> > >
> > >
> > >
> > > --
> > > The Wellcome Trust Sanger Institute is operated by Genome Research
> > > Limited, a charity registered in England with number 1021457 and a
> company
> > > registered in England with number 2742969, whose registered office is
> 215
> > > Euston Road, London, NW1 2BE.
> >
> >
> >
> >
> > --
> > John Dunlap
> > *CTO | Lariat *
> >
> > *Direct:*
> > *j...@lariat.co <j...@lariat.co>*
> >
> > *Customer Service:*
> > 877.268.6667
> > supp...@lariat.co
>
>
>
> --
> So many immigrant groups have swept through our town
> that Brooklyn, like Atlantis, reaches mythological
> proportions in the mind of the world - RI Safir 1998
> http://www.mrbrklyn.com
>
> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> http://www.nylxs.com - Leadership Development in Free Software
> http://www2.mrbrklyn.com/resources - Unpublished Archive
> http://www.coinhangout.com - coins!
> http://www.brooklyn-living.com
>
> Being so tracked is for FARM ANIMALS and and extermination camps,
> but incompatible with living as a free human being. -RI Safir 2013
>
>


-- 
John Dunlap
*CTO | Lariat *

*Direct:*
*j...@lariat.co <j...@lariat.co>*

*Customer Service:*
877.268.6667
supp...@lariat.co

Reply via email to