Re: trouble with packages/eval/variable-scoping

    my $savefile = new FileHandle("xxx.ptysav", "r");
    my $lines  = join("",($savefile->getlines()));
    my $result = eval $lines;                        # <- here is the 
+eval
    close ($savefile);
[download]

That looks really dangerous!

Imagine someone changing xxx.ptysav to contain $_=`rm -rf /`;. That would be a bad day for you.

See also:

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Comment on Re: trouble with packages/eval/variable-scoping Select or Download Code

Replies are listed 'Best First'.
Re^2: trouble with packages/eval/variable-scoping by eyepopslikeamosquito (Archbishop) on Aug 29, 2024 at 23:32 UTC
Imagine someone changing `xxx.ptysav` to contain $_=`rm -rf /`;. That would be a bad day for you. Good catch! For more references on this important topic see: Re: eval question (avoid string eval References) 👁️🍾👍🦟	[reply] [d/l] [select]
Re^2: trouble with packages/eval/variable-scoping by LanX (Saint) on Aug 30, 2024 at 10:38 UTC
> Imagine someone changing xxx.ptysav That's not very different to `use` , `require` or `do` `FILE` The essential question is "who has the necessary rights to modify FILE". (Or any code in general) Where in the OP's post do you see that it's an open config file accessible by others? Cheers Rolf _{(addicted to the Perl Programming Language :) see Wikisyntax for the Monastery}	[reply] [d/l]
Re^3: trouble with packages/eval/variable-scoping by hippo (Archbishop) on Aug 30, 2024 at 11:28 UTC
Where in the OP's post do you see that it's an open config file accessible by others? Trouble is, it's not just "others" that you have to worry about. In your config file it is your own typos, etc. Config files should be parsed, not executed. And if for some odd reason they must be executed, do it at compile time. And if for some other reason you have to do it at run-time then you'd better be using taint mode. 🦛	[reply]
Re^4: trouble with packages/eval/variable-scoping by LanX (Saint) on Aug 30, 2024 at 12:39 UTC
First of all I can't see that it's a config file. Secondly, the same must apply to all modules etc. Thirdly, if the OP is generating code in his Tk app and keeps it safe, where is the problem? This would apply as meta programming, and I could come up with multiple use cases for this. Meta I really have a problem with dogmatic preaching just after a trigger point like `eval` is shown ... I'm pretty sure we wouldn't have seen this discussion if the OP was using `require` to load the code. Cheers Rolf _{(addicted to the Perl Programming Language :) see Wikisyntax for the Monastery}	[reply]
Re^5: trouble with packages/eval/variable-scoping by hippo (Archbishop) on Aug 30, 2024 at 13:12 UTC
Re^6: trouble with packages/eval/variable-scoping by LanX (Saint) on Aug 30, 2024 at 13:41 UTC
Some notes below your chosen depth have not been shown here

Meta