Re^2: limiting scope of 'eval'??

Ok, here are more details about the application...

I've got a CGI program "index.pl". This script reads from a flat-file some of the content that will be printed as the web response. However, I want to be able to interpret macros (in perl) from the static file text... So

flatfile:

Today is <% $a = localtime(time); print $a; %>
[download]

And index.pl is (basically):

my $a = "important value";

# open flatfile here...

# use index and substr to find macro strings delimited with <% ... %>

# loop through found macros

eval($macro)

# replace macro code with eval value

# print resulting text

# keep using variable $a, expecting the value will still be "important
+ value"...
[download]

So here, I'd like a user to be able to use their own variables, and not be able to (even accidentily) mess up the calling script's scoped variables/functions.

Comment on Re^2: limiting scope of 'eval'?? Select or Download Code

Replies are listed 'Best First'.
Re^3: limiting scope of 'eval'?? by Prior Nacre V (Hermit) on Aug 22, 2004 at 06:09 UTC
I note a security implication here; you may have it covered. Can flatfile be edited to include: `Kaboom! <% system(rm ) %>` [download] or other (possibly inadvertent) malicious code? Will index.pl* run this code? Regards, PN5	[reply] [d/l]
Re^3: limiting scope of 'eval'?? by edan (Curate) on Aug 22, 2004 at 08:36 UTC
Perhaps your are re-inventing the wheel for the furtherance of your own knowledge, or as a homework assignment. Otherwise, I can't help but wonder why you aren't using one of the existing templating systems out there, like Template Toolkit (http://template-toolkit.org)... ? -- edan	[reply]
Re^4: limiting scope of 'eval'?? by ManFromNeptune (Scribe) on Aug 22, 2004 at 17:10 UTC
Yes, its a long story... I am actually using TemplateToolkit in another part of this application. However, the part I'm trying to figure out here has to be end-user-editable (also from a web page that lets them edit the aforementioned textfile.) The point above about the system() call is a good one. Methinks there are probably too many security issues with letting people define perl code to be executed by the system... the sandbox isn't well enough controlled. Alrighty then... back to the drawing board. cheers MFN	[reply]
•Re^5: limiting scope of 'eval'?? by merlyn (Sage) on Aug 23, 2004 at 17:01 UTC
You do realize that TemplateToolkit has PERL directives that permit embedded Perl code, correct? -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]