[ic] Adding a system wide module

Mike Heins mike at perusion.com
Tue Feb 1 00:12:18 EST 2005 

Quoting Jeff Fearn (jefffearn at gmail.com):
> On Mon, 31 Jan 2005 21:16:41 -0500, Mike Heins <mike at perusion.com> wrote:
> > Quoting Jon Jensen (jon at endpoint.com):
> > The eval is just a tad dangerous with passed tag parameters, so I think
> > I would prefer:
> > 
> > UserTag date_calc Order op args
> > UserTag date_calc Order addAttr
> > UserTag date_calc Routine <<EOF
> > use Date::Calc;
> > sub {
> >    my ($op,$args,$opt) = @_;
> >    no strict 'refs';
> >    my @return;
> >    eval {
> >         @return = &{"Date::Calc::$op"}(@$args);
> >    };
> >    if($@) {
> >           logError("tag date-calc error: $@");
> >          return;
> >    }
> >    return wantarray ? @return : $return[0];
> > }
> > EOF
> 
> I end up going with this (how could I argue with Mike? ;). Thanks guys.
> 
> It is a little disappointing to have to get involved with the Tag code
> when using perl though.

It shouldn't be. Otherwise you would have to allow all code, and that is
dangerous. We have very few hacks and instabilities in IC considering
the power of the tag language, and a major reason is the use of Safe.

You can do whatever you desire with AllowGlobal, but you shouldn't want
to. In order to do something securely on your pages you should do a
pretty intensive study of the security and stability implications. If
you are like most people, you won't, and security suffers.

I always seem talk about security because it makes people and admins
take notice. But probably the bigger practical bonus is stability. If
you can do file opens and shell commands from pages, you have a strong
possibility of creating instability in your catalog.

Instead of spending that time ensuring against all that, take the few
minutes to make a UserTag connector. Reusable, allows integration
directly into the page with ITL, and a much more known risk from a
security standpoint.

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.647.1295  tollfree 800-949-1889 <mike at perusion.com>

Being against torture ought to be sort of a bipartisan thing.
-- Karl Lehenbauer

More information about the interchange-users mailing list