Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Re^2: ascii colors from text file

by extremely (Priest)
on Mar 02, 2007 at 20:37 UTC ( [id://602957]=note: print w/replies, xml ) Need Help??


in reply to Re: ascii colors from text file
in thread ascii colors from text file

Of course, if he parses the file by splitting on white space and then on "=" like most people would first think to do, then you've ensured that anyone who can edit the color file can cause him to run arbitrary code.

Maybe not a big deal for him but probably not a great meme to spread around.

Worse, your example evals the final string, not the color text once when parsing. That means if he has "$1 dollar" anywhere in his text he's getting lord knows what in place of "$1"... probably "=" or the last title word ("color15"?) depending on how his parser works. Hopefully he won't print a nice "$$$$$$$$$$$$" anywhere when decorating his report. :)

--
$you = new YOU;
honk() if $you->love(perl)

Replies are listed 'Best First'.
Re^3: ascii colors from text file
by almut (Canon) on Mar 02, 2007 at 22:53 UTC

    Yeah sure, I agree that eval is always potentially dangerous... I figured this is rather well-known. And, I wasn't trying to spread "great memes" :)   Rather, I was simply trying to generically answer the problem of "Normally, I would use a double quoted string in my script... now what do I do to arrive at the same effect when I hold the part in between the quotes literally in a string, like when having read it from a file?"   Nowhere in the OP was any mention of other people potentially having control over the input.

    Along similar lines you'd have to warn people every time they interpolate some variable into some command like

    system "convert $imgname.png $imgname.jpg"
    because, if $imgname could potentially come from an insecure source, they might get into trouble inadvertendly running something like

    system "convert ; rm -rf ~/* ;.png ..."

    I'd probably even mention it if the danger is obvious, like someone inexperienced trying to execute code like this in CGI context or some such, but otherwise... should we always warn?

      [about string eval to enforce interpolation]

      I'd probably even mention it if the danger is obvious, like someone inexperienced trying to execute code like this in CGI context or some such, but otherwise... should we always warn?

      Well, you don't know in what context someone will read your write-up in the future. Even in the given context, I am by no means sure if the original author is aware of the possible risk. She or he accepted the advice rather light-heartedly. I think we should always warn.

      Anno

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://602957]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (4)
As of 2024-03-29 09:07 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found