Re^2: Execute a string which has math operation

Replies are listed 'Best First'.
Re^3: Execute a string which has math operation by Preceptor (Deacon) on Jan 05, 2014 at 10:22 UTC
It is - using eval to execute user supplied 'stuff' is dangerous. However it's _most_ dangerous when the program runs as a privileged user (e.g. web server, database instance). If I write a script, and then 'break' it, then I don't elevate my privileges, so at best it's a cute trick, on a part with using perl to 'process' STDIN. A case in point If however, you do have potential privilege escalation, then it's very important to sanitise your inputs. Normally, you'd do this by 'whitelisting' certain characters (e.g. numbers + arithmetic operators) and removing anything that isn't. URI::Escape may be useful for that - if you do it right, a regular expression will do the trick, but I can't elaborate off the top of my head.	[reply]

Replies are listed 'Best First'.

Re^3: Execute a string which has math operation
by Preceptor (Deacon) on Jan 05, 2014 at 10:22 UTC

It is - using eval to execute user supplied 'stuff' is dangerous. However it's _most_ dangerous when the program runs as a privileged user (e.g. web server, database instance). If I write a script, and then 'break' it, then I don't elevate my privileges, so at best it's a cute trick, on a part with using perl to 'process' STDIN.

A case in point

If however, you do have potential privilege escalation, then it's very important to sanitise your inputs. Normally, you'd do this by 'whitelisting' certain characters (e.g. numbers + arithmetic operators) and removing anything that isn't. URI::Escape may be useful for that - if you do it right, a regular expression will do the trick, but I can't elaborate off the top of my head.

[reply]