Ok, I understood. Thank you very much, and sorry for the false alarm.
--- I think, this Font::TTFMetrics needs a little bit of optimization. It reads and reads the file again and again, which is slow when is used for a lot of strings. I registered to PAUSE, but it is not enough. Until then, the current author doesn't replied my emails. What could I do? Bye, Akos -----Ursprüngliche Nachricht----- Von: Matt S Trout [mailto:m...@shadowcat.co.uk] Gesendet: Mittwoch, 11. April 2012 17:19 An: Horvath, Akos Cc: 'modu...@cpan.org'; 'ma...@bioinformatics.org' Betreff: Re: warning: sechole, possibly trojan in Font::TTFMetrics On Wed, Apr 11, 2012 at 05:04:04PM +0200, Horvath, Akos wrote: > Hello, > > Yes, it is true. But follow the code further. In the eval() is a read(), from > a file handle to a .ttf file. > > It reads the first 12 bytes of a ttf font file, and then evaluates it as a > perl code block! No it doesn't! That's block eval, not string eval! eval { die "Boom"; }; warn $@; Notice that the exception doesn't end the program but instead is put in $@. That's what block eval does. eval 'print qq{Security hole!\n}'; is string eval, which would have the problem you describe. That code is not using string eval, so does not have that problem. -- Matt S Trout - Shadowcat Systems - Perl consulting with a commit bit and a clue http://shadowcat.co.uk/blog/matt-s-trout/ http://twitter.com/shadowcat_mst/ Email me now on mst (at) shadowcat.co.uk and let's chat about how our Catalyst commercial support, training and consultancy packages could help your team.
