Home > Archive > PERL Beginners > March 2005 > Dump running source code?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Dump running source code?
|
|
|
| Greetings,
I'm not really sure how to explain it, or if it makes sense, but we provide a
webservice written in perl. We have a number of modules for the software, and
have designed the software to allow "plug-ins". We would like to be able to
offer this "plug-in" feature to developers looking to extend our software.
"plug-ins" are simply required modules which contain subroutines. The only
thing that is automatically passed in @_ are a few object handles that are
used in the main "handler" code and made available to the "plug-ins".
Is there any possible way that somebody writing a "plug-in" would be able to
some how dump the code from the require'ing script? The people writing the
plug-ins do not have access to any of the code, so im trying to make sure
they can't access it in any other way.
Thanks!
| |
| JupiterHost.Net 2005-03-21, 3:55 pm |
| Hello,
> Is there any possible way that somebody writing a "plug-in" would be able to
> some how dump the code from the require'ing script? The people writing the
> plug-ins do not have access to any of the code, so im trying to make sure
> they can't access it in any other way.
If I was trying to see the source I'd:
open ZERO, $0 or die "Could not p $!";
print while(<ZERO> );
close ZERO
then based on paths and files I see there try to open those as well.
| |
| Randal L. Schwartz 2005-03-21, 3:55 pm |
| >>>>> "JupiterHost" == JupiterHost Net <mlists@jupiterhost.net> writes:
JupiterHost> Hello,[color=darkred]
JupiterHost> If I was trying to see the source I'd:
JupiterHost> open ZERO, $0 or die "Could not p $!";
JupiterHost> print while(<ZERO> );
JupiterHost> close ZERO
And more than that:
my %sources;
local *ARGV; local $/;
@ARGV = ($0, values %INC);
while (<> ) {
$sources{$ARGV} = $_;
}
There. The entire source code for the application is now in %sources.
Every .pm, every require, and the top-level application.
Enjoy.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
| |
| JupiterHost.Net 2005-03-21, 3:55 pm |
| > And more than that:
>
> my %sources;
> local *ARGV; local $/;
> @ARGV = ($0, values %INC);
> while (<> ) {
> $sources{$ARGV} = $_;
> }
>
> There. The entire source code for the application is now in %sources.
> Every .pm, every require, and the top-level application.
Nice and slick :)
| |
| Wiggins d'Anconia 2005-03-21, 3:55 pm |
| Randal L. Schwartz wrote:
>
>
> JupiterHost> Hello,
>
>
>
> JupiterHost> If I was trying to see the source I'd:
>
> JupiterHost> open ZERO, $0 or die "Could not p $!";
> JupiterHost> print while(<ZERO> );
> JupiterHost> close ZERO
>
> And more than that:
>
> my %sources;
> local *ARGV; local $/;
> @ARGV = ($0, values %INC);
> while (<> ) {
> $sources{$ARGV} = $_;
> }
>
> There. The entire source code for the application is now in %sources.
> Every .pm, every require, and the top-level application.
>
> Enjoy.
>
Out of curiousity (because I really don't know) couldn't you init the
process as a user who has read privileges on the main source files, then
drop the program to a different (read: lower) effective/real uid whom
does not have read access to any of the source files? That should
thwart both of the above suggestions. But then there is always
deparsing and the B::* modules, which probably provide a way to get back
to it, but that is beyond my knowledge.....
The OP might want to check out the 'Safe' module to see if it provides
enough facilities to restrict the user from anything unwanted...
presumably you could prevent use/require of the B space.
http://danconia.org
| |
|
| > And more than that:
>
> my %sources;
> local *ARGV; local $/;
> @ARGV = ($0, values %INC);
> while (<> ) {
> $sources{$ARGV} = $_;
> }
>
> There. The entire source code for the application is now in %sources.
> Every .pm, every require, and the top-level application.
>
> Enjoy.
Thanks for the reply. I may need to have to re-think my plug-in abilities.
Does anybody have any tips on building plug-in abilities without allowing
somebody to access the top-level application or do I need to completely
rework this?
Thanks!!!
|
|
|
|
|