in reply to Is there such a thing as safe eval?

I would just regex out the things I don't want evaled. e.g. $str =~ s/unlink.*;//g;

Should work :)

--nutshell

Replies are listed 'Best First'.
Re(2): bad advice on safe eval
by Ovid (Cardinal) on May 09, 2003 at 23:34 UTC

    With all due respect, every time you come up with something to remove, I and others can come up with something bad to put in there. For example, how would you "sanitize" the following (given the caveat that I didn't make it dangerous):

    $_ = 'sub _{local $_=shift;y/A-Z/a-z/;y/0-9//d;$_}$_=q{P1R2I3N4T "R0M 
+-F0R"};s/(.*)/_($1)/sexe';
eval;

    [download]

    Cheers,
    Ovid

    New address of my CGI Course.
    Silence is Evil (feel free to copy and distribute widely - note copyright text)

[reply]
[d/l]
Re: Re: Is there such a thing as safe eval?
by Your Mother (Archbishop) on May 10, 2003 at 00:46 UTC
    Generally speaking, the opposite approach is the way to go for most security situations. Disallow everything and only open what you want.

    So if you have a handful of commands you're willing to eval, you could regex verify them. But trying to build a stop-list of things not to eval is fraught with terror, as Ovid demonstrates above.

[reply]
[d/l]
[select]
Re: Re: Is there such a thing as safe eval?
by rzward (Monk) on May 09, 2003 at 23:17 UTC
    Thank you for your suggestion.

    To do a good job using regex I think I would need to know the difference between unlink the function and $unlink the variable (it might happen!) So I would basically be building a Perl parser for the string and complaining if the parser encountered any in my list of illegal functions.

    I don't think this is very difficult but is there another way of doing this that is more reliable?

    Richard

[reply]

In Section Seekers of Perl Wisdom