This function should be safe to use as it will only do the eval if the string contains + - . 0 1 2 3 4 5 6 7 8 9 / plus spaces and tabs which are harmless.
It is safer than an unchecked eval, but not completely safe or devoid of side effects. An attacker could:
a) Cause the eval to throw an exception with input like 5++ or 4/0. This could in turn make the whole program die or misbehave in certain situation, and has the side effects of triggering the signal handlers and clobbering $@, in addition to making the eval return undef.
b) Test certain numeric patterns against $_ or even compute its value. For example, the following input makes the eval return the value of $_, if it's an integer in the range 0..99.
/1//1+/2//0.5+/3//0.333333333333333+/4//0.25+/5//0.2+/6// 0.166666666666667+/7//0.142857142857143+/8//0.125+/9// 0.111111111111111+/1.//0.1-/1.//1+/2.//0.05-/2.//0.5+/3.// 0.0333333333333333-/3.//0.333333333333333+/4.//0.025-/4.// 0.25+/5.//0.02-/5.//0.2+/6.//0.0166666666666667-/6.// 0.166666666666667+/7.//0.0142857142857143-/7.// 0.142857142857143+/8.//0.0125-/8.//0.125+/9.// 0.0111111111111111-/9.//0.111111111111111+/11//1+/22// 0.5+/33//0.333333333333333+/44//0.25+/55//0.2+/66// 0.166666666666667+/77//0.142857142857143+/88//0.125+/ 99//0.111111111111111
c) I DON'T KNOW if it's possible to create a regexp that takes forever to run only with the allowed characters.
In reply to Re^2: Arithmetic with fractions
by calin
in thread Arithmetic with fractions
by algonquin
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |