I'm looking at the Locale::Maketext code and came across this in the _compile method (line 435 onwards in Maketext.pm):
I'm wondering why potentially unsafe characters are handled differently in the above code?if(length $c[-1]) { # Now actually processing the preceding literal $big_pile .= $c[-1]; if($USE_LITERALS and ( (ord('A') == 65) ? $c[-1] !~ m<[^\x20-\x7E]>s # ASCII very safe chars : $c[-1] !~ m/[^ !"\#\$%&'()*+,\-.\/0-9:;<=>?\@A-Z[\\\]^_`a-z{|} +~\x07]/s # EBCDIC very safe chars )) { # normal case -- all very safe chars $c[-1] =~ s/'/\\'/g; push @code, q{ '} . $c[-1] . "',\n"; $c[-1] = ''; # reuse this slot } else { push @code, ' $c[' . $#c . "],\n"; push @c, ''; # new chunk }
Since this is extracting string literals from an external source for a later eval, would the following generalized code be safe:
IE, the above code could look something like this instead:my $literal = <DATA>; $literal =~ s/\\*'/\\'/g; # later on... # There may be a number of literals in reality - # each would be single quoted to prevent interpolation my $string = eval "'$literal'"; __DATA__ this could be \'; system("ls -la");\'
This isn't a criticism of L::Maketext, rather I'm just curious to know if there are situations where evaling a single quoted literal with all single quotes escaped might still cause accidental interpolation.if(length $c[-1]) { # Now actually processing the preceding literal $big_pile .= $c[-1]; $c[-1] =~ s/\\*'/\\'/g; push @code, " '$c[-1]',\n"; $c[-1] = ''; # reuse this slot }
Can anyone suggest security problems with this - if you can give a simple example to illustrate, even better. BTW, I appreciate that the noddy example code I've provided doesn't need eval - its just there as a simple example.
Thanks
In reply to Safe eval of string literals? by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |