SOAP::Lite in a Safe ?

[Bill]

Anyone know how to call SOAP::Lite methods inside a Safe object?
The attempt below fails for some reason:

#=====
use strict;
use warnings;
use Safe;
use SOAP::Lite;

my $compartment = new Safe;
my $retval;
my $resource = '212';
my $sl = new SOAP::Lite;

my $code = <<SCODE;
\$retval = \$sl
-> uri('http://www.soaplite.com/Temperatures')
-> proxy('http://services.soaplite.com/temper.cgi')
-> f2c(\$resource)
-> result;
print "Result is \$retval\n";
SCODE

print "Now outside the box...";
eval $code;

$retval = undef;
$compartment->share(qw($retval $resource $sl));
$compartment->permit(qw(print));

print "\n\nNow in the box...\n";
$compartment->reval($code);
#========

Ideas?

 

[James Willmore]

Anyone know how to call SOAP::Lite methods inside a Safe object?
The attempt below fails for some reason:

What reason? What is it doing that you don't want it to do -or- what is
it not doing you do want it to do?

#=====
use strict;
use warnings;
use Safe;
use SOAP::Lite;

my $compartment = new Safe;
my $retval;
my $resource = '212';
my $sl = new SOAP::Lite;

my $code = <<SCODE;
\$retval = \$sl
-> uri('http://www.soaplite.com/Temperatures')
-> proxy('http://services.soaplite.com/temper.cgi')
-> f2c(\$resource)
-> result;
print "Result is \$retval\n";
SCODE

print "Now outside the box...";
eval $code;

'eval', in general (a very general sense; OTOH, there are safe ways to use
'eval'), is not something safe. And, just at first glance, I don't really
understand why you're using 'eval' at all. As I'm not familiar with Safe,
is this something that's in the documentation that you're supposed to do?

In general, if you don't know why you're using 'eval', don't.

$retval = undef;
$compartment->share(qw($retval $resource $sl));
$compartment->permit(qw(print));

Okay - you've just evaluated the coderef and now you're trying to make it
safe. Again, is this something in the documentation? This just doesn't
seem right

print "\n\nNow in the box...\n";
$compartment->reval($code);
#========

Ideas?

See comments above and HTH

--
Jim

Copyright notice: all code written by the author in this post is
released under the GPL. http://www.gnu.org/licenses/gpl.txt
for more information.

a fortune quote ...
If God didn't mean for us to juggle, tennis balls wouldn't come
three to a can.

 

[Bill]

What reason? What is it doing that you don't want it to do -or- what is
it not doing you do want it to do?

It fails to connect to the server, or do anything at all, except
complain that $sl is not a valid argument to use for the call. A
namespace problem with Safe.pm, which calls open, pack, etc within
Safe::Lite, I know. I just don't know if I can use Safe with an object?
I tried Safe::Hole, but can't get it to work here either.

'eval', in general (a very general sense; OTOH, there are safe ways to use
'eval'), is not something safe. And, just at first glance, I don't really
understand why you're using 'eval' at all. As I'm not familiar with Safe,
is this something that's in the documentation that you're supposed to do?

I want to take an arbitrary, perhaps tainted SOAP call and make it safe
from the likes of SQL injection. (SOAP injection?) I was hoping not to
have to roll my own Safe::SOAP or SOAP::Safe but maybe I do?

In general, if you don't know why you're using 'eval', don't.

Sorry if the question was not clear. I was using eval here to show that
eval works but Safe::reval does not. The Safe module uses a
namespace-modified vesion of eval called reval.

 

[Ben Morrow]

I want to take an arbitrary, perhaps tainted SOAP call and make it safe
from the likes of SQL injection. (SOAP injection?) I was hoping not to
have to roll my own Safe::SOAP or SOAP::Safe but maybe I do?

Where is this SOAP call coming from? I do not think that Safe is the
right way to go on this: you would be much better off if you can getting
the spec for the call in some simpler language and constructing the call
from that.

Ben