Guys! Don't get paranoid. It's not a trojan or virus or anything. I am the author of the file. I don't remember why I did the eval. It's been a long time. Will come back to you. And this is my current email address.
On Wed, Apr 11, 2012 at 11:31 AM, Horvath, Akos <horvath.a...@siemens.com> wrote: > Ok, I understood. > > Thank you very much, and sorry for the false alarm. > > --- > > I think, this Font::TTFMetrics needs a little bit of optimization. It reads > and reads the file again and again, which is slow when is used for a lot of > strings. I registered to PAUSE, but it is not enough. Until then, the current > author doesn't replied my emails. What could I do? > > Bye, > > Akos > > -----Ursprüngliche Nachricht----- > Von: Matt S Trout [mailto:m...@shadowcat.co.uk] > Gesendet: Mittwoch, 11. April 2012 17:19 > An: Horvath, Akos > Cc: 'modu...@cpan.org'; 'ma...@bioinformatics.org' > Betreff: Re: warning: sechole, possibly trojan in Font::TTFMetrics > > On Wed, Apr 11, 2012 at 05:04:04PM +0200, Horvath, Akos wrote: >> Hello, >> >> Yes, it is true. But follow the code further. In the eval() is a read(), >> from a file handle to a .ttf file. >> >> It reads the first 12 bytes of a ttf font file, and then evaluates it as a >> perl code block! > > No it doesn't! > > That's block eval, not string eval! > > eval { > die "Boom"; > }; > warn $@; > > Notice that the exception doesn't end the program but instead is put in $@. > > That's what block eval does. > > eval 'print qq{Security hole!\n}'; > > is string eval, which would have the problem you describe. > > That code is not using string eval, so does not have that problem. > > -- > Matt S Trout - Shadowcat Systems - Perl consulting with a commit bit and a > clue > > http://shadowcat.co.uk/blog/matt-s-trout/ http://twitter.com/shadowcat_mst/ > > Email me now on mst (at) shadowcat.co.uk and let's chat about how our Catalyst > commercial support, training and consultancy packages could help your team.
