# New Ticket Created by Zoffix Znet
# Please include the string: [perl #128283]
# in the subject line of all future correspondence about this issue.
# <URL: https://rt.perl.org/Ticket/Display.html?id=128283 >
The operators for `cmp-ok` subroutine can be given as strings or as Callables. The problem with strings is the subroutine evals them as EVAL "&infix:<$op>" and the current implementation makes it impossible to use, say '<' as an operator:
<Zoffix> m: use Test; cmp-ok 2, '<', 5, 'seems sane';
<camelia> rakudo-moar beb3c9: OUTPUT«not ok 1 - seems sane␤␤# Failed test 'seems sane'␤# at /tmp/kqui3siS7u line 1␤# Could not use '<' as a comparator␤»
It does work with &[<] instead of '<' and considering that's only 1 character longer and there's no 100% clean way to allow any op in a string, I propose we ditch the string version entirely.
While I don't know anything about SETTINGS, the current implementation also has a security hole, at least in camelia where `run`, while restricted in general code, is given a free pass when injected inside the string comparator passed to cmp-ok:
<Zoffix> m: run "ls"
<camelia> rakudo-moar beb3c9: OUTPUT«run is disallowed in restricted setting␤ in sub restricted at src/RESTRICTED.setting line 1␤ in sub run at src/RESTRICTED.setting line 14␤ in block <unit> at /tmp/wWcCMBi30n line 1␤␤»
<Zoffix> m: use Test; cmp-ok '', '~~>;warn run "ls"; <z', '', '';
<camelia> rakudo-moar beb3c9: OUTPUT«Perlito␤dalek-queue␤evalbot␤evalbot.log␤foo␤lib␤log␤mbox␤nqp-js␤p1␤p2␤p6eval-token␤perl5␤rakudo-j-1␤rakudo-j-2␤rakudo-j-inst␤rakudo-j-inst-1␤rakudo-j-inst-2␤rakudo-m-1␤rakudo-m-2␤rakudo-m-inst␤rakudo-m-inst-1␤rak…»