Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Re^3: loop iterator in a string

by haukex (Bishop)
on Sep 27, 2021 at 18:54 UTC ( #11137064=note: print w/replies, xml ) Need Help??


in reply to Re^2: loop iterator in a string
in thread loop iterator in a string

Please be aware that eval with anything other than a fixed, literal string (i.e. no variables interpolated in) has the potential to introduce security issues or other subtle bugs.

Replies are listed 'Best First'.
Re^4: loop iterator in a string
by LanX (Sage) on Sep 27, 2021 at 21:12 UTC
    I think rejecting any $str containing anything which isn't a cipher, comma or dot prior to eval $str should be good enough

    DB<53> $EVIL= ',@{[say "kill all kitties!"]}' DB<54> $str = "2,4..9" DB<55> p $str =~ m/[^0-9,.]/ # OK DB<56> $str .= $EVIL DB<57> p $str =~ m/[^0-9,.]/ # NOT OK 1 DB<58> eval $str kill all kitties!

    update

    in order to avoid syntax error you need to check $@ to see if the eval was successful. NB line 82, not all errors are caught tho

    DB<80> @list = eval ",1..3"; unless($@){say for @list } DB<81> @list = eval "1..3"; unless($@){say for @list } 1 2 3 DB<82> @list = eval "1.3"; unless($@){say for @list } 1.3

    Cheers Rolf
    (addicted to the Perl Programming Language :)
    Wikisyntax for the Monastery

      I think rejecting any $str containing anything which isn't a cipher, comma or dot prior to eval $str should be good enough

      Not quite, since it would also accept ",....," and other things like that (one of the things I meant with "other subtle bugs"). Personally I would suggest both a regex like /\A(\d+(?:\.\.\d+)?)(?:,(?1))*\z/ and checking eval for errors. And at that level, the complexity is high enough that something like* tybalt89's solution is probably better.

      * Update: By which I mean, something like tybalt89's solution with some added error checking ;-)

        > both a regex like /\A(\d+(?:\.\.\d+)?)(?:,(?1))*\z/

        That's overkill in that case,...

        > and checking eval for errors.

        ... checking eval for errors is enough, once the code fails.

        Your all-covered approach reminds me of parents insisting to drive their kids to school while they keep their bike's helmet on.

        Like this you are scaring them away from learning how to bike by themselves.

        Cheers Rolf
        (addicted to the Perl Programming Language :)
        Wikisyntax for the Monastery

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11137064]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (3)
As of 2022-01-16 20:05 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    In 2022, my preferred method to securely store passwords is:












    Results (49 votes). Check out past polls.

    Notices?