Re: Safe eval of string literals?

I'm just curious to know if there are situations where evaling a single quoted literal with all single quotes escaped might still cause accidental interpolation.

After further thought, yes -- they could use backslash escapes to encode a single quote; for example, $literal could contain \x27; print system('ls -la'); \x27.

Update: Or not, as pointed out below -- I had rigged my test case a bit differently than the OP and went off on a tangent somewhere...

Comment on Re: Safe eval of string literals? Download Code

Replies are listed 'Best First'.
Re: Re: Safe eval of string literals? by Anonymous Monk on Aug 19, 2003 at 20:23 UTC
Thanks for the replies, but have you actually tried it? `my $literal = <DATA>; $literal =~ s/\\*'/\\'/g; # later on... # There may be a number of literals in reality - # each would be single quoted to prevent interpolation my $string = eval "'$literal'"; print $string, "\n"; __DATA__ this could be \x27; print system('ls -la'); \x27` [download] On my machine: `>perl testcode.pl this could be \x27; print system('ls -la'); \x27` [download] Since the string is evaled within single quotes: "'$literal'", \x{} notated characters shouldn't get interpreted. Of course it's essential to escape single quotes, or nasty things can easily get through, and it's especially important to handle escaped single quotes or stuff like "\'; print system("ls -la"); \'" would slip through. From comments a few others have made on other mailing lists, Safe.pm seems to be a great idea, but in reality it has limitations and isn't as secure as it should be - it also adds an overhead that I could do without. With regards to rinceWind's reply - we're talking about l10n data loaded from 'internal' sources (eg. program resources installed locally or on the local network), so CGI and data tainting isn't a particularly useful model. I didn't make that clear enough, so sorry about that. Of course, if a sysadmin installs a rogue app without thinking (never!), it's still nice to limit/prevent damage caused by hacked .PO or .MO files, which is why I'm asking about it here :) Thanks for the replies so far, and keep 'em coming!	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Re: Safe eval of string literals?
by Anonymous Monk on Aug 19, 2003 at 20:23 UTC

  my $literal = <DATA>;

  $literal =~ s/\\*'/\\'/g;

  # later on...

  # There may be a number of literals in reality - 
  # each would be single quoted to prevent interpolation

  my $string = eval "'$literal'";

  print $string, "\n";

__DATA__
this could be \x27; print system('ls -la'); \x27
[download]

>perl testcode.pl
this could be \x27; print system('ls -la'); \x27
[download]

From comments a few others have made on other mailing lists, Safe.pm seems to be a great idea, but in reality it has limitations and isn't as secure as it should be - it also adds an overhead that I could do without.

With regards to rinceWind's reply - we're talking about l10n data loaded from 'internal' sources (eg. program resources installed locally or on the local network), so CGI and data tainting isn't a particularly useful model. I didn't make that clear enough, so sorry about that. Of course, if a sysadmin installs a rogue app without thinking (never!), it's still nice to limit/prevent damage caused by hacked .PO or .MO files, which is why I'm asking about it here :)

Thanks for the replies so far, and keep 'em coming!

[reply]
[d/l]
[select]