Re^2: eval() and security

That ("unlink...") will not work from inside the /regexp/ which is the only place the $userinput will appear inside eval{}. I did test it, but I'm no expert on exploitation.

Running in taint mode, the first version:

eval($s);
[download]

will throw an error, whereas the second does not (for what that is worth). The first form is the only one I can actually get code to execute in (via the input). Perhaps I am being a little paranoid suddenly.

Comment on Re^2: eval() and security Download Code

Replies are listed 'Best First'.
Re^3: eval() and security by Anonymous Monk on Nov 24, 2009 at 17:53 UTC
`$ perl -e " $x = shift; /$x/" "(?{ die 666 })" Eval-group not allowed at runtime, use re 'eval' in regex m/(?{ die 66 +6 })/ at -e line 1. $ perl -Mre=eval -e " $x = shift; /$x/" "(?{ die 666 })" 666 at (re_eval 1) line 1. $ perl -Mre=eval -Te " $x = shift; /$x/" "(?{ die 666 })" Eval-group in insecure regular expression in regex m/(?{ die 666 })/ a +t -e line 1.` [download]	[reply] [d/l]
Re^4: eval() and security by halfcountplus (Hermit) on Nov 24, 2009 at 18:00 UTC
`syntax error at -e line 1, near "=" Execution of -e aborted due to compilation errors.` [download] For all of those dude.	[reply] [d/l]
Re^5: eval() and security by almut (Canon) on Nov 24, 2009 at 18:08 UTC
On Unix, you need to use single quotes, or else the shell will interpolate `$x` etc.	[reply] [d/l]
Re^3: eval() and security by SuicideJunkie (Vicar) on Nov 24, 2009 at 17:54 UTC
I did not mean it as a literal runnable example, or I would have put it in code tags. The key point is that you can run arbitrary code (provided it parses) inside a regex match. If you allow user data into the regex match, then the sky is the limit for exploits. (As anonymonk shows above, Taint mode is smart enough to hate that sort of thing)	[reply]
Re^4: eval() and security by Anonymous Monk on Nov 24, 2009 at 17:59 UTC
also there are regex patterns which will run forever, and there have been some that will overflowed buffers...	[reply]
Re^5: eval() and security by ikegami (Patriarch) on Nov 24, 2009 at 18:23 UTC
and there have been some that will overflowed buffers... The switch to a non-recursive engine in 5.10 should have fixed that.	[reply]
Re^6: eval() and security by Anonymous Monk on Nov 24, 2009 at 23:46 UTC
Re^4: eval() and security by halfcountplus (Hermit) on Nov 24, 2009 at 18:07 UTC
The key point is that you can run arbitrary code (provided it parses) inside a regex match. I have thought this too, but in fact I cannot make it happen for all my trying, and I have never seen any security advisories about it, nor kind I find any examples of such a thing.	[reply]