[Melbourne-pm] Using strict...
Jacinta Richardson
jarich at perltraining.com.au
Mon Feb 19 20:28:58 PST 2007
Tim Hunt wrote:
> I am updating *old* cgi-bin scripts to _use strict_.
You are very brave. ;) Did you notice that you're using the two argument
version of "open" without specifying file mode? Depending on how the program
gets the config file name, that could be a security problem.
> The original author had a suite of config files A.cfg, B.cfg etc. that
> were parsed at run time to declare variables.
How many of these are there? How many variables are they declaring?
> Of course, with strict on, this does not work as the variables are all
> confined to the scope of the eval(config_line).
Yup that's correct.
> My options seem to be to declare all the variables in the main script
> and carry on regardless, or implement a better config method.
If you know what variables you expect to import this shouldn't be too much of a
problem. I presume you're happy to find out what these variables should be.
# a.cfg
use strict;
our $foo = 'hello world';
our $bar = 3;
# main
use strict;
...
while (<IN>){
eval(untaint($_));
if ($@){
my_warn($@);
}
}
our ($foo, $bar); # Only change
print $foo;
Personally I'd recommend using a better config method. I usually use
Config::General but there are lots of other alternatives:
# aa.cfg
foo = hello world
bar = 3
#Main script:
use strict;
use Config::General;
my $config_file = 'aa.cfg';
my %config = Config::General->new($config_file)->getall();
print $config{foo}, "\n";
# or
my $foo = $config{foo};
The above has a number of advantages over your original:
* it's shorter (less places for bugs to hide),
* can handle fields with multiple values
* can handle flags
* doesn't require explicit file handling (less problems with open)
* should be easier for people to immediately understand
* avoids sneaky security problems if your untaint() method isn't
perfect and bad people can edit your config files
On the downsides I don't believe that Config::General comes standard with Perl,
but I could be mistaken.
All the best,
Jacinta
--
("`-''-/").___..--''"`-._ | Jacinta Richardson |
`6_ 6 ) `-. ( ).`-.__.`) | Perl Training Australia |
(_Y_.)' ._ ) `._ `. ``-..-' | +61 3 9354 6001 |
_..`--'_..-_/ /--'_.' ,' | contact at perltraining.com.au |
(il),-'' (li),' ((!.-' | www.perltraining.com.au |
More information about the Melbourne-pm
mailing list