[ic] GlobalSub can't use modules

Kevin Walsh interchange-users@interchange.redhat.com
Tue Apr 2 14:53:01 2002 

> 
> It is now obvious that [ic] is unable to load any modules at run time.
> So I did an "su interch" and ran the standalones from there and they
> worked fine.
> 
> Looking closely at the errors it says that Safe: has reported them. Does
> this mean that there is no escaping Safe:? Is there is no place in [ic]
> where one can run perl without intervention? Hours spent reading the
> mailing list archive would suggest that this is not so.
> 
> This is the reason why I'm using this whole GlobalSub sytem in the first
> place, so I can get around Safe. Is the Safe installed on my machine
> somehow set to extra stringent?
> 
> So after displaying all of this detailed context my question is:
> 
> How can I get around Safe so that I can use modules in my GlobalSub?
> 
You may not have seen the "Tags Reference" and "Interchange Configuration"
documents, so I'll quote from some of the parts that refer to
[perl subs=1 global=1] naughty code [/perl]

>From the Tags Reference:
----------------------------------------------------------------------
4.52.2.4. subs
If you have set the AllowGlobal catalog directive, setting subs=1 will
enable you to call GlobalSub routines within the enclosed perl code.
Note that this can compromise security.

4.52.2.5. global
If you have set the AllowGlobal catalog directive, setting global=1
will turn off Safe protection within the tag.

The code within the tag will then be able to do anything the user ID
running Interchange can. This seriously compromises security, and you
should know what you are doing before using it in a public site.
It is especially dangerous if a single Interchange server is shared
by multiple companies or user IDs.

Also, full 'use strict' checking is turned on by default when in
global mode. You can turn it off by using 'no strict;' within your
code. Note that any strict errors will go to the Interchange error
logs, and the tag itself will fail silently within the page.
----------------------------------------------------------------------

Note that if you choose to switch Safe protection off, you are
taking matters into your own hands.  There's a reason why code
that bypasses Safe is referred to as "unsafe".

-- 
   _/   _/  _/_/_/_/  _/    _/  _/_/_/  _/    _/
  _/_/_/   _/_/      _/    _/    _/    _/_/  _/   K e v i n   W a l s h
 _/ _/    _/          _/ _/     _/    _/  _/_/    kevin@cursor.biz
_/   _/  _/_/_/_/      _/    _/_/_/  _/    _/