Re: Is this code secure, can I test it on my machine?

eval EXPR, s///ee and use re 'eval'; can be used to execute arbitrary Perl code.

>perl -e"system \"echo Hello World\""
Hello World
[download]

can be written as

>perl -MMIME::Base64 -e"$_='c3lzdGVtICJlY2hvIEhlbGxvIFdvcmxkIg=='; s/(
+.*)/decode_base64 $1/seige"
Hello World
[download]

Comment on Re: Is this code secure, can I test it on my machine? Select or Download Code

Replies are listed 'Best First'.
Re^2: Is this code secure, can I test it on my machine? by szabgab (Priest) on May 23, 2010 at 19:07 UTC
string eval is already flagged as dangerous spot and "use" too. The new thing here is substitution with two "e"-s: `s/.../.../ee` [download] Do I understand correctly that a single e after the substitution would only be dangerous if the code inside is dangerous `s/.../system($1)/e` [download] but code like this `s/.../$1/e` [download] cannot be dangerous?	[reply] [d/l] [select]
Re^3: Is this code secure, can I test it on my machine? by ikegami (Patriarch) on May 23, 2010 at 19:25 UTC
string eval is already flagged as dangerous spot and "use" too I missed the mention of string `eval`. As for the `use re 'eval';`, it's not prevented by preventing the use of `use` as I suspect you can achieve the same effect without actually using `use`. The new thing here is substitution with two "e"-s: It's really just another way of writing a string eval. `s/.../.../ee` [download] is the same as `s/.../eval "..."/e` [download] (without making '"' special). Do I understand correctly that a single e after the substitution would only be dangerous if the code inside is dangerous If you consider `$1` safe in code, then `s/.../$1/e` is safe too.	[reply] [d/l] [select]