On Fri, Sep 12, 2003 at 03:47:31PM +0100, Mike Guy wrote:
> Dave Mitchell <davem@fdgroup.com> wrote
> > Okay, here's a patch. When Safe code is eval'ed now, there are no
> > lexical variables declared within any nested scope, apart from one called
> > $__ExPr__, which is actually local to the code being evaled and has no
> > connection with a lexical variable of the same name that happens to be in
> > an outer nested scope and which is used by Safe.pm.
> 
> No need for an extra lexical  -  you've got the eval() and the sub {}
> the wrong way out.
> 
> > So Safe.pm used to do the rough equivalent of
> > 
> >     sub reval {
> >	  my $expr = (code to be evaled);
> >	  safe_call_sv(sub { eval $expr });
> >     );
> 
> That should be written
> 
>       sub reval {
> 	  safe_call_sv(eval 'sub {' . shift() . '}');
>       };
> 

No, because then the eval is executed outside the sandbox,

eg

    reval(' BEGIN { system "rm -rf /" }' );


or

    reval( '1 } system "rm -rf /"; { 1' );


-- 
Thank God I'm an atheist.....