An Inherent Danger in Data::Dumper
Data::Dumper is a handy Perl module, but using it blindly in conjuction with the eval function can create security holes.
September 30, 1999
Data::Dumper is a handy module, but using it blindly in conjunction with the eval function to transmit data can create security holes. Never use the eval function to act on code from an insecure source. For example, suppose you develop a client-server application using a similar protocol, run the server process as an administrator, and distribute the client processes to your users. The client process uses Data::Dumper to convert the Perl objects to strings and send the strings over the network to the server process, which uses the eval function to convert the text strings back to the original objects and operates on those objects. Nothing in this system prevents the users from connecting to the server port via Telnet (or another program) and submitting their Perl code, which will now run in the server process as if they were administrators. If you want to use the eval function with untrusted code, you can use the Safe module. This module lets you create sandboxes in which to execute untrusted code.
In my system, this security hole isn't a big problem because the parent and child processes are running on the same machine. In addition, I built code into MyRpcPort to reject connections from other IP addresses. However, you must always contemplate the security aspects of the code on your system.
About the Author
You May Also Like