Perhaps you should look at doing this in a Safe compartment that cannot execute anything.

#!/usr/bin/perl -Tw

use strict;

my @code = (
'for(my $i=0;$i<10;$i++) { print $i," "; }; print "\n";',
'blarmityschlammit',
'for(my $i=0;$i<10;$i++) { print $i,"\n";', # Missing closing brace
'}; print "code4 sneaky code\n"; sub { print "code4 regular code\n";'
        );
for my $i (0..$#code)
{
    print "\n** Compiling code block $i\n";
    my $user_code = eval "sub { $code[$i] };";
    if ($@)
    {
      warn "Bad user code block: $@\n";
      next;
  }
    print "** Running code block $i\n";
    $user_code->();
}
[download]

As the last example demonstrates, it's possible to break out of this and execute code at compile-time, but it's unlikely to happen accidentally. If you don't have malicious code, something like this will probably work OK. If you do, as merlyn said, you'll need to use the Safe module.

Thanks for your response. I didn't think of code being executed in the BEGIN block so that's a good point - an interesting, example, too. In my case, there shouldn't be any intentional maliciousness - in fact, the user will have no more (or less) access than they would under normal circumstances.

I guess wrapping in sub was the key that I overlooked. Thanks a lot! Thanks also to merlyn and everyone else who responded so quickly!




-- Andy

Note, there are many ways a BEGIN block can get executed without ever having the word BEGIN in your code. For example:

# In Test.pm
package Test;

sub import { print "Boo!\n"; }

1;

--------------
# In your script

use Test;
[download]

Where's the BEGIN?

There actually was a question/meditation on here about 2 years ago on this very topic. I don't remember the details, but the OP was remarking that he was running into a forking/threading/caching/whatever issue. It turned out that there was a module about 4 levels back into the uses that was doing something he didn't want. And, it was happening at compile-time, so he couldn't disable it.

------
We are the carpenters and bricklayers of the Information Age.

Then there are Damian modules.... *sigh* ... that's not about being less-lazy -- that's about being on some really good drugs -- you know, there is no spoon. - flyingmoose

Andy, I'd really like to know why you are doing this at all... seems that accepting input as perl code over the 'net (or wherever) is a very bad idea. For those that need access to install plugins (this sounds like what you are doing), allow the filesystem to enforce the protections -- that is -- require them to have an account on the box. If they must do this remotely, this is what version control systems and SSH are for. Even Net::SSH if you must. Maybe if I understood the goal a little better...

and if you are running say, a student test program, if your students OWNZOR your box you might as well just get them expelled :)

But still, I do agree it would be nice to not have these BEGIN block vulnerabilities, but checking syntax without BEGIN blocks would look like broken syntax for many things that used BEGIN.

      -c   causes Perl to check the syntax of the program and
            then exit without executing it.  Actually, it will
            execute "BEGIN", "CHECK", and "use" blocks, because
            these are considered as occurring outside the execu-
            tion of your program.  "INIT" and "END" blocks, how-
            ever, will be skipped.
[download]

Thanks - I was trying to avoid shelling out. perl -c is exactly what I want, but I want to use it as a function, ala:

perlminusc($str); # syntax check _only_ of $str
[download]

Thanks!


-- Andy