it doesn't on my machine. I tried it (with a different command just in case I was wrong.) It does not execute the command.
eval (I believe) is only going to evaluate the string given it. I am not giving it the string "$arg_2", I am giving it the string "s/$arg_1/$arg_2/".
perhaps if I were using the 'e' flag it would be a problem.
even if it did what you think it did, I would have to ask, why would I want to do that? That to me is like saying, "go to your terminal, and type rm -rf /". | [reply]
[d/l] |
perhaps if I were using the 'e' flag it would be a problem.
You're using string eval, its a problem right now, just because I didn't provide working exploit on purpose
That to me is like saying, "go to your terminal, and type ...
Imagine some user telling you , hey, I can't get your program to work, here is what I tried, and then you enter what the user gives you, and you execute rm -rf
Imagine forgetting how your program works, and accidentally getting rm -rf to execute
You do absolutely nothing to ensure that can't happen.
The cheapest option is to use taint (-T).
If this is just a program for personal use, why wouldn't you simply use perl -E ... ?
| [reply] |
You're using string eval, its a problem right now, just because I didn't provide working exploit on purpose
Please enlighten me then on how eval works. I just don't see any reason why it would execute anything other than what I give it, ie, s///.
You do absolutely nothing to ensure that can't happen. The cheapest option is to use taint (-T)
I agree, there would be no harm in using that.
If this is just a program for personal use, why wouldn't you simply use perl -E ... ?
It is a program that iterates through several files and processes them. I wouldn't want to type all of that on the command line every time.
I'm not resisting your help, I just am not understanding why eval would do what you say it would.
I am also wondering why two other monks suggested it.
| [reply] |