in reply to Re: Safe eval of string literals?
in thread Safe eval of string literals?
On my machine:my $literal = <DATA>; $literal =~ s/\\*'/\\'/g; # later on... # There may be a number of literals in reality - # each would be single quoted to prevent interpolation my $string = eval "'$literal'"; print $string, "\n"; __DATA__ this could be \x27; print system('ls -la'); \x27
Since the string is evaled within single quotes: "'$literal'", \x{} notated characters shouldn't get interpreted. Of course it's essential to escape single quotes, or nasty things can easily get through, and it's especially important to handle escaped single quotes or stuff like "\'; print system("ls -la"); \'" would slip through.>perl testcode.pl this could be \x27; print system('ls -la'); \x27
From comments a few others have made on other mailing lists, Safe.pm seems to be a great idea, but in reality it has limitations and isn't as secure as it should be - it also adds an overhead that I could do without.
With regards to rinceWind's reply - we're talking about l10n data loaded from 'internal' sources (eg. program resources installed locally or on the local network), so CGI and data tainting isn't a particularly useful model. I didn't make that clear enough, so sorry about that. Of course, if a sysadmin installs a rogue app without thinking (never!), it's still nice to limit/prevent damage caused by hacked .PO or .MO files, which is why I'm asking about it here :)
Thanks for the replies so far, and keep 'em coming!
|
|---|