You could do something like this and eval the code you are being given but use a bareblock and a last to ensure that it COMPILES but does not actually ever RUN. The last causes an immediate exit from the block. Comment out the $code = "{last; $code}" to see how this works.
Even using this methodology a malicious coder could force code execution if you allow BEGIN blocks. Comment out the s/BEGIN// to see what I mean. BEGIN {`format C:`} might be a bit of a bummer so we kill these off. By deleting the 'BEGIN' they become ordinary blocks that will never execute owing to the {last; ... } structure.
There may be other security holes in this solution, no doubt they will be duly noted. I used this method in a script (not a CGI!) a while ago because I was totally unable to capture the output of perl -c - it goes to STDOUT on Win32 despite all efforts otherwise. Perl -c also allows BEGIN blocks to !$#% you over as they get EXECUTED even though the rest of the code does not. Abigail has demonstrated a virus based on this behaviour BTW.
jplindstrom reminded me about END blocks and I refresh my memory on CHECK blocks - both these will execute in this structure so I have updated the code to just remove all the blocks constructs.
cheers
tachyon
$code = <<'CODE'; print "Hello World!\n"; BEGIN {print '# hacked #';} CODE $code =~ s/BEGIN|CHECK|INIT|END//g; # kill blocks here $code = "{last; $code}"; # stop test code running eval $code; # now have a look see at $@ to see if it contains an error # due to the test code being invalid. print $@ ? "Invalid\n" : "Syntax OK\n";
In reply to Re: evaluating syntax of code blocks (code)
by tachyon
in thread evaluating syntax of code blocks (code)
by deprecated
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |