Re: limiting scope of 'eval'??

In fact, I'd like to hide from the eval'd code all variables and functions that were declared outside of it. Is this possible?

All 'my' variables can be hidden with the code below, but the others are trickier. If you can take the performance hit, use system to run the code in a seperate interpreter if you can.

# Before any 'my'. Put in a seperate module if necessary.
# Use eval_it instead of eval.
sub eval_it { eval shift; }
[download]

Comment on Re: limiting scope of 'eval'?? Download Code

Replies are listed 'Best First'.
Re^2: limiting scope of 'eval'?? by ManFromNeptune (Scribe) on Aug 22, 2004 at 03:39 UTC
Ok, here are more details about the application... I've got a CGI program "index.pl". This script reads from a flat-file some of the content that will be printed as the web response. However, I want to be able to interpret macros (in perl) from the static file text... So flatfile: `Today is <% $a = localtime(time); print $a; %>` [download] And index.pl is (basically): `my $a = "important value"; # open flatfile here... # use index and substr to find macro strings delimited with <% ... %> # loop through found macros eval($macro) # replace macro code with eval value # print resulting text # keep using variable $a, expecting the value will still be "important + value"...` [download] So here, I'd like a user to be able to use their own variables, and not be able to (even accidentily) mess up the calling script's scoped variables/functions.	[reply] [d/l] [select]
Re^3: limiting scope of 'eval'?? by Prior Nacre V (Hermit) on Aug 22, 2004 at 06:09 UTC
I note a security implication here; you may have it covered. Can flatfile be edited to include: `Kaboom! <% system(rm ) %>` [download] or other (possibly inadvertent) malicious code? Will index.pl* run this code? Regards, PN5	[reply] [d/l]
Re^3: limiting scope of 'eval'?? by edan (Curate) on Aug 22, 2004 at 08:36 UTC
Perhaps your are re-inventing the wheel for the furtherance of your own knowledge, or as a homework assignment. Otherwise, I can't help but wonder why you aren't using one of the existing templating systems out there, like Template Toolkit (http://template-toolkit.org)... ? -- edan	[reply]
Re^4: limiting scope of 'eval'?? by ManFromNeptune (Scribe) on Aug 22, 2004 at 17:10 UTC
Yes, its a long story... I am actually using TemplateToolkit in another part of this application. However, the part I'm trying to figure out here has to be end-user-editable (also from a web page that lets them edit the aforementioned textfile.) The point above about the system() call is a good one. Methinks there are probably too many security issues with letting people define perl code to be executed by the system... the sandbox isn't well enough controlled. Alrighty then... back to the drawing board. cheers MFN	[reply]
•Re^5: limiting scope of 'eval'?? by merlyn (Sage) on Aug 23, 2004 at 17:01 UTC