in reply to Running untrusted perl code

I assume you are talking about letting people use a browser based perl execute widget for some sort of tutorial purposes? Each CGI is a separate process so you could still consume all your resources quite easily I would think. 2% at a time x 50 times == 100 % 

use LWP::Simple;
get( 'http://domain.com/cgi-bin/safe.pl?code=fork+while+1;dump' ) for 
+1..10000;

[download]

Code intentionally partially invalid

cheers

tachyon

Replies are listed 'Best First'.
Re: Re: Running untrusted perl code
by BUU (Prior) on May 30, 2004 at 21:33 UTC
    Heh, congratulations, you've managed to come up with the same damn problem I came up with thinking about this last night. The best solution I can think of, at the moment, is to require some sort of authentication with the server, so you have to create an account, and do some sort of process limit at the user level.

    The script in question isn't going to be a CGI, it's going to be a dedicated perl script that runs the untrusted perl code. Mostly.

    The only trick there of course, is to prevent one "user" from have a large number of accounts, which I confess, I'm a tad stumped..
[reply]
      So impose an artificial limit on the maximum number of processes period. That way if you get 100 users trying to test stuff at the same time (and user limit is 1), and you the max limit is 20, 80 of them will be informed to try again later :)

      MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
      I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
      ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]

In Section Seekers of Perl Wisdom