Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

You can eval Perl without EVAL_PERL #245

Open
exercism-1 opened this issue Jan 9, 2020 · 3 comments
Open

You can eval Perl without EVAL_PERL #245

exercism-1 opened this issue Jan 9, 2020 · 3 comments

Comments

@exercism-1
Copy link

The EVAL_PERL option controls the PERL directive, which allows Perl code to be embedded in a template. However, you don't need PERL to run arbitrary Perl code:

[% template.new({ 'BLOCK' => 'print STDERR "ace.\n"; die' }) %]

I'm not sure if this counts as a bug. Feel free to close.

@DrHyde
Copy link

DrHyde commented Jan 15, 2020

I think it is a bug, and not just because it's a security concern. The Template::Parser docs say "The $data hash reference returned contains a BLOCK item containing the compiled Perl code for the template" so it seems to me that instantiating an object with that but no template, or with a template that doesn't match the BLOCK item, shouldn't really be possible.

@atoomic
Copy link
Collaborator

atoomic commented Jan 15, 2020

At first glance this seems to be by design,
look how the BLOCK directive is implemented

template($block) - https://github.com/abw/Template2/blob/master/lib/Template/Directive.pm#L69
anon_block($block) - https://github.com/abw/Template2/blob/master/lib/Template/Directive.pm#L100

@dracos
Copy link
Contributor

dracos commented Jul 10, 2020

This isn't a BLOCK directive, it's the BLOCK constructor argument to Template::Document. As template in a template is the Template::Document object, http://www.template-toolkit.org/docs/modules/Template/Document.html says new can be passed in a string which is then immediately eval()ed. I guess the special template and component template variables should not be an object on which you can call new, perhaps a Template::Document subclass that uses _new as the constructor? As then that wouldn't be available in the template (unless you've undefined PRIVATE). Or the Template::Document constructor could check and only let itself be called as Template::Document->new and not $instance->new.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants