How so? How would an attacker exploit it? On Tue, May 30, 2017 at 10:46 AM, Ruben Safir <ru...@mrbrklyn.com> wrote:
> Using eval is an unacceptable security bug for all online and public > access programs that aquire data from external non-secured sources. > > > > On Tue, May 30, 2017 at 09:39:53AM -0400, John Dunlap wrote: > > Yes, I do that extensively and it works perfectly. It's as close to a > true > > Try/Catch block as we have in the perl world. However, I *usually* do not > > return values from it because I use this construct to control my database > > transaction demarcation and using the return value from outside of the > eval > > wouldn't be inside the transaction. With that said, I have had to do it > > from time to time and it works just fine. Also, it is advisable to copy > the > > contents of $@ into a separate variable immediately. My understanding is > > that this can prevent some weird concurrency issues, under some > conditions. > > My general form looks something like this, > > > > my $return = eval { > > # BEGIN DATABASE TRANSACTION > > > > # DO SOME STUFF > > > > # COMMIT DATA BASE TRANSACTION > > > > return 'SOME VALUE'; > > }; > > > > if ($@) { > > my $error = $@; > > > > # ROLLBACK DATABASE TRANSACTION > > > > # LOG ERROR > > } > > > > > > On Tue, May 30, 2017 at 4:47 AM, James Smith <j...@sanger.ac.uk> wrote: > > > > > Not really a mod_perl question but you can always wrap your method > call in > > > an eval > > > > > > my $ret = eval { $m->...() }; > > > > > > And then check $@ for the error message > > > > > > > > > On 2017-05-26 02:08 AM, Peng Yonghua wrote: > > > > > >> greeting, > > >> > > >> I am not so good at perl/modperl,:) > > >> > > >> In the handler, a method from a class was called, when something dies > > >> from within the method, what's the correct way the handler will take? > > >> > > >> for example, I wrote this API which works right if given a correct > domain > > >> name: > > >> > > >> http://fenghe.org/domain/?d=yahoo.com > > >> > > >> server response: > > >> var data={"registration":"domain may be taken","domain":"yahoo.com"} > > >> > > >> If given a wrong domain name: > > >> > > >> http://fenghe.org/domain/?d=yahoo.nonexist > > >> > > >> The server returns 500. > > >> > > >> This is because, in the handler, I used this module (wrote also by > me): > > >> > > >> http://search.cpan.org/~pyh/Net-Domain-Registration-Check-0. > > >> 03/lib/Net/Domain/Registration/Check.pm > > >> > > >> And in the module, croak like this was happened, > > >> > > >> croak "domain TLD not exists" unless tld_exists($tld); > > >> > > >> When handler meets the croak, it dies (I guess) and server returns > 500. > > >> > > >> How will I make the full system work right? fix on handler, or the > module > > >> itself? > > >> > > >> Thanks. > > >> > > > > > > > > > > > > -- > > > The Wellcome Trust Sanger Institute is operated by Genome Research > > > Limited, a charity registered in England with number 1021457 and a > company > > > registered in England with number 2742969, whose registered office is > 215 > > > Euston Road, London, NW1 2BE. > > > > > > > > > > -- > > John Dunlap > > *CTO | Lariat * > > > > *Direct:* > > *j...@lariat.co <j...@lariat.co>* > > > > *Customer Service:* > > 877.268.6667 > > supp...@lariat.co > > > > -- > So many immigrant groups have swept through our town > that Brooklyn, like Atlantis, reaches mythological > proportions in the mind of the world - RI Safir 1998 > http://www.mrbrklyn.com > > DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 > http://www.nylxs.com - Leadership Development in Free Software > http://www2.mrbrklyn.com/resources - Unpublished Archive > http://www.coinhangout.com - coins! > http://www.brooklyn-living.com > > Being so tracked is for FARM ANIMALS and and extermination camps, > but incompatible with living as a free human being. -RI Safir 2013 > > -- John Dunlap *CTO | Lariat * *Direct:* *j...@lariat.co <j...@lariat.co>* *Customer Service:* 877.268.6667 supp...@lariat.co