PhilHibbs has asked for the wisdom of the Perl Monks concerning the following question:

The first script in Clipboard transform keys takes the Win32 clipboard, execs it, and stuffs the results back. I know that this is a no-no in terms of security, but it is a script that only I use on my local machine, will never be exposed to the internet, and only processes the clipboard contents anyway. This is the latest version of the clipboard calculator.

My question is: If I did want to improve the security while retaining the functionality, how would I go about it? Does exec go out the window entirely?

How, for instance, would you go about implement something like Google Calculator?

Update:The purpose of the code is to do mathematical calculations. I got fed up of switching to Calc and doing it there, and losing the results of old calculations, so now I do all my maths in a text editor. Given this input:

4*3
11-4*2
it produces this output:
4*3 =	12
11-4*2 =	3

Replies are listed 'Best First'.
Re: Hardening an exec-based script
by ikegami (Patriarch) on Aug 16, 2004 at 16:22 UTC

    Some brain-storming-ish thoughts:

    1) You said it "only processes the clipboard contents anyway" implying the risks are minimal, but JavaScript on web pages in IE can or could change the contents of the clipboard.

    2) but since perl is activated independantly of the code appearing in the clipboard (using Ctrl-Alt-XXX in Clipboard transform keys), the risk becomes negligible.

    3) To which functionality are you refering when you say "while retaining the functionality"? Executing perl code placed in the clipboard by any application? There's not much that can be done with narrow requirements. You could prepend the perl code with a password, but that's all I can think of.

    4) To implement a google calculator safely, you could parse the equation yourself instead of using eval, but I don't think that's worth it because of (2) above.

[reply]
      3) It's a calculator. See Update.
[reply]

Back to Seekers of Perl Wisdom