Re: Re: Re: stringification

merlyn: very good point. but, can't you get round this by enclosing the variables in quotes? e.g.

>perl -e '
    sub string_to_struct {
 my $string = shift;
 
 my @refs = split /__/, $string;
 $string = "\$$refs[0]";
 for (1 .. $#refs) { $string .= "-> {q/$refs[$_]/}" };
 
 return eval "\\$string";  
}
print string_to_struct "foo__`rm xxx`"; 
'
SCALAR(0x8056ba4)

>ls
...
xxx
... 
>perl -e '
    sub string_to_struct {
 my $string = shift;
 
 my @refs = split /__/, $string;
 $string = "\$$refs[0]";
 for (1 .. $#refs) { $string .= "-> {$refs[$_]}" };
 
 return eval "\\$string";  
}
print string_to_struct "foo__`rm xxx`"; 
'

SCALAR(0x8056bb0)
> ls
[argh! xxx has been removed]
[download]

Anyway, I'll check the refs and consider making sure all my configs get written in a safe way. It still wouldn't be nice to let them set any variable, I guess....

update:
Great reference. That solves it. Once again, chromatic sorts me out.

update 2:
Well, not completely. Chromatics solution in the thread referred to above will traverse a hash and show all the keys (and values). I'll have a think how to hack it to go just to the key and value you want.

update 3:
And by the way, my claim that the code above would be safe is not true - see replies to this post for why.

David

Comment on Re: Re: Re: stringification Download Code

Replies are listed 'Best First'.
Re: Re: Re: Re: stringification by chipmunk (Parson) on Feb 28, 2001 at 20:28 UTC
Any solution that uses eval and doesn't do sanity checking on the input is vulnerable. For example, in the code snippet where you put q// around the keys, if I pass in the string "foo__/.`rm xxx`.q/" then the line that gets evalled is \$foo-> {q//.`rm xxx`.q//} If you do decide to go with eval, which personally I would not recommend, then you should turn on taint checking and make sure the input is safe before you eval it.	[reply] [d/l] [select]
Re: Re: Re: Re: Re: stringification by dash2 (Hermit) on Mar 01, 2001 at 14:21 UTC
ah... now that would explain why the node is getting massacred... /me looks suitably chastened, and will rewrite to avoid the "eval" solution. dave hj~	[reply]
Re: stringification (perl command line trivia) by deprecated (Priest) on Feb 28, 2001 at 17:48 UTC
>perl -e ' sub string_to_struct { my $string = shift; my @refs = split /__/, $string; $string = "\$$refs[0]"; for (1 .. $#refs) { $string .= "-> {q/$refs[$_]/}" }; return eval "\\$string"; } print string_to_struct "foo__`rm xxx`"; ' [download] just to interject here, on every unix system ive ever used, just typing 'perl return' will allow you to code freely until __END__ or control-d and then execute. no need for the -e '...' -- transcending "coolness" is what makes us cool.	[reply] [d/l]