On Wed, Apr 11, 2012 at 05:04:04PM +0200, Horvath, Akos wrote:
> Hello,
>
> Yes, it is true. But follow the code further. In the eval() is a read(), from
> a file handle to a .ttf file.
>
> It reads the first 12 bytes of a ttf font file, and then evaluates it as a
> perl code block!
No it doesn't!
That's block eval, not string eval!
eval {
die "Boom";
};
warn $@;
Notice that the exception doesn't end the program but instead is put in $@.
That's what block eval does.
eval 'print qq{Security hole!\n}';
is string eval, which would have the problem you describe.
That code is not using string eval, so does not have that problem.
--
Matt S Trout - Shadowcat Systems - Perl consulting with a commit bit and a clue
http://shadowcat.co.uk/blog/matt-s-trout/ http://twitter.com/shadowcat_mst/
Email me now on mst (at) shadowcat.co.uk and let's chat about how our Catalyst
commercial support, training and consultancy packages could help your team.
