Schwern just posted “How (not) To Load a Module…" that goes into great depth about the security risk in loading modules.
The (not) funny thing is that none of what he’s saying is a risk would be one when running in taint mode.
Consider “/tmp/foo.pm” with this:
package foo; print "Loaded foo\n"; 1;
Then consider this example of how Module::Load does something “unexpected”:
$ perl -MModule::Load=load -wE 'my $file=shift; load $file' ::tmp::foo Loaded foo
(The “threat” is that given an arbitrary module name to load, it will gladly load outside @INC
.)
What if that was run under taint mode, instead?
$ perl -MModule::Load=load -wTE 'my $file=shift; load $file' ::tmp::foo Insecure dependency in require while running with -T switch at /home/david/perl5/perlbrew/perls/perl-5.14.0/lib/5.14.0/Module/Load.pm line 27. Insecure dependency in require while running with -T switch at /home/david/perl5/perlbrew/perls/perl-5.14.0/lib/5.14.0/Module/Load.pm line 27.
I’m not sure why that message is printed twice, but that was still a fatal error and foo.pm didn’t load.
The moral of the story: if you incorporate arbitrary user input into your execution path, use taint mode and validate the input to make sure it’s something safe.