in reply to Embedded Syntax Checker?

One way would be to wrap it in a sub. Then eval would compile the sub, and calling the sub would execute it: 
#!/usr/bin/perl -Tw

use strict;

my @code = (
'for(my $i=0;$i<10;$i++) { print $i," "; }; print "\n";',
'blarmityschlammit',
'for(my $i=0;$i<10;$i++) { print $i,"\n";', # Missing closing brace
'}; print "code4 sneaky code\n"; sub { print "code4 regular code\n";'
        );
for my $i (0..$#code)
{
    print "\n** Compiling code block $i\n";
    my $user_code = eval "sub { $code[$i] };";
    if ($@)
    {
      warn "Bad user code block: $@\n";
      next;
  }
    print "** Running code block $i\n";
    $user_code->();
}

[download]

As the last example demonstrates, it's possible to break out of this and execute code at compile-time, but it's unlikely to happen accidentally. If you don't have malicious code, something like this will probably work OK. If you do, as merlyn said, you'll need to use the Safe module.

Replies are listed 'Best First'.
Re: Re: Embedded Syntax Checker?
by Anonymous Monk on Apr 21, 2004 at 16:22 UTC

    Thanks for your response. I didn't think of code being executed in the BEGIN block so that's a good point - an interesting, example, too. In my case, there shouldn't be any intentional maliciousness - in fact, the user will have no more (or less) access than they would under normal circumstances.

    I guess wrapping in sub was the key that I overlooked. Thanks a lot! Thanks also to merlyn and everyone else who responded so quickly!


    -- Andy

[reply]
      Note, there are many ways a BEGIN block can get executed without ever having the word BEGIN in your code. For example: 
      # In Test.pm
package Test;

sub import { print "Boo!\n"; }

1;

--------------
# In your script

use Test;

      [download]

      Where's the BEGIN?

      There actually was a question/meditation on here about 2 years ago on this very topic. I don't remember the details, but the OP was remarking that he was running into a forking/threading/caching/whatever issue. It turned out that there was a module about 4 levels back into the uses that was doing something he didn't want. And, it was happening at compile-time, so he couldn't disable it.

      ------
      We are the carpenters and bricklayers of the Information Age.

      Then there are Damian modules.... *sigh* ... that's not about being less-lazy -- that's about being on some really good drugs -- you know, there is no spoon. - flyingmoose

[reply]
[d/l]
Re: Re: Embedded Syntax Checker?
by flyingmoose (Priest) on Apr 21, 2004 at 19:06 UTC
    Andy, I'd really like to know why you are doing this at all... seems that accepting input as perl code over the 'net (or wherever) is a very bad idea. For those that need access to install plugins (this sounds like what you are doing), allow the filesystem to enforce the protections -- that is -- require them to have an account on the box. If they must do this remotely, this is what version control systems and SSH are for. Even Net::SSH if you must. Maybe if I understood the goal a little better...

    and if you are running say, a student test program, if your students OWNZOR your box you might as well just get them expelled :)

    But still, I do agree it would be nice to not have these BEGIN block vulnerabilities, but checking syntax without BEGIN blocks would look like broken syntax for many things that used BEGIN.

[reply]

In Section Seekers of Perl Wisdom