Document that load_class() doesn't validate given strings. Fixes #285

plack · Aug 13, 2012 · 931e921 · 931e921
1 parent 2a84ce3
commit 931e921
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/lib/Plack/Util.pm b/lib/Plack/Util.pm
@@ -373,6 +373,13 @@ already fully qualified.
   my $class = Plack::Util::load_class("Baz", "Foo::Bar");       # Foo::Bar::Baz
   my $class = Plack::Util::load_class("+XYZ::ZZZ", "Foo::Bar"); # XYZ::ZZZ
 
+Note that this function doesn't validate (or "sanitize") the passed
+string, hence if you pass a user input to this function (which is an
+insecure thing to do in the first place) it might lead to unexpected
+behavior of loading files outside your C<@INC> path. If you want a
+generic module loading function, you should check out CPAN modules
+such as L<Module::Runtime>.
+
 =item is_real_fh
 
   if ( Plack::Util::is_real_fh($fh) ) { }