Permalink
Browse files

Document that load_class() doesn't validate given strings. Fixes #285

  • Loading branch information...
1 parent 2a84ce3 commit 931e92116330d028b1a20e771f38221df55b25d2 @miyagawa miyagawa committed Aug 13, 2012
Showing with 7 additions and 0 deletions.
  1. +7 −0 lib/Plack/Util.pm
View
@@ -373,6 +373,13 @@ already fully qualified.
my $class = Plack::Util::load_class("Baz", "Foo::Bar"); # Foo::Bar::Baz
my $class = Plack::Util::load_class("+XYZ::ZZZ", "Foo::Bar"); # XYZ::ZZZ
+Note that this function doesn't validate (or "sanitize") the passed
+string, hence if you pass a user input to this function (which is an
+insecure thing to do in the first place) it might lead to unexpected
+behavior of loading files outside your C<@INC> path. If you want a
+generic module loading function, you should check out CPAN modules
+such as L<Module::Runtime>.
+
=item is_real_fh
if ( Plack::Util::is_real_fh($fh) ) { }

0 comments on commit 931e921

Please sign in to comment.