#!/usr/bin/perl -w use strict; use Safe; my $secret="my-password-should-never-be-shown\n"; ## the following are lines that a web user could try to pass to my pro +gram my $_ = <<HEREDOC; sub round { return sprintf("%.\$_[1]f", \$_[0]); } ; my \$in=rand(); m +y \$answer=(\$in+log(10)); print "what is \$in+log(10)?\\n"; round(\$ +answer,3) ## this should evaluate just fine print \$secret; ## yikes, sho +uld be an error system("ls") ## yikes, sho +uld be an error `ls` ## yikes, sho +uld be an error open(FIN, ">", "really-bad-to-write-to-fs") ## yikes, sho +uld be an error HEREDOC foreach (split(/\n/, $_)) { print "\n----------------\nExecuting '$_'\n\n"; # this executes everything blindly and is a really bad idea my $result=eval($_); print "UNSAFE '$_'\n\t\t-> ".($result||"undef")."\n\n\n"; # this does not do what I had hoped it to do # I want the first line be executed, and all other lines to be trapp +ed. my $compartment= new Safe; $result= $compartment->reval("$_"); print "SAFE '$_'\n\t\t-> ".($result||"undef")."\n\n\n"; }
Unfortunately, my reval does not execute anything. is there a set of ops that are what I should open up to allow exactly and only what I used in the first line?
Advice appreciated.
In reply to use of Safe module by iaw4
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |