in reply to Re^5: hex code passed from command line is interpreted literally in substitution
in thread hex code passed from command line is interpreted literally in substitution

it doesn't on my machine. I tried it (with a different command just in case I was wrong.) It does not execute the command.

eval (I believe) is only going to evaluate the string given it. I am not giving it the string "$arg_2", I am giving it the string "s/$arg_1/$arg_2/".

perhaps if I were using the 'e' flag it would be a problem.

even if it did what you think it did, I would have to ask, why would I want to do that? That to me is like saying, "go to your terminal, and type rm -rf /".
  • Comment on Re^6: hex code passed from command line is interpreted literally in substitution
  • Download Code

Replies are listed 'Best First'.
Re^7: hex code passed from command line is interpreted literally in substitution
by Anonymous Monk on Mar 10, 2011 at 16:52 UTC
    perhaps if I were using the 'e' flag it would be a problem.

    You're using string eval, its a problem right now, just because I didn't provide working exploit on purpose

    That to me is like saying, "go to your terminal, and type ...

    Imagine some user telling you , hey, I can't get your program to work, here is what I tried, and then you enter what the user gives you, and you execute rm -rf

    Imagine forgetting how your program works, and accidentally getting rm -rf to execute

    You do absolutely nothing to ensure that can't happen. The cheapest option is to use taint (-T).

    If this is just a program for personal use, why wouldn't you simply use perl -E ... ?

[reply]
      You're using string eval, its a problem right now, just because I didn't provide working exploit on purpose

      Please enlighten me then on how eval works. I just don't see any reason why it would execute anything other than what I give it, ie, s///.

      You do absolutely nothing to ensure that can't happen. The cheapest option is to use taint (-T)

      I agree, there would be no harm in using that.

      If this is just a program for personal use, why wouldn't you simply use perl -E ... ?

      It is a program that iterates through several files and processes them. I wouldn't want to type all of that on the command line every time.

      I'm not resisting your help, I just am not understanding why eval would do what you say it would.

      I am also wondering why two other monks suggested it.
[reply]
        It is a program that iterates through several files and processes them. I wouldn't want to type all of that on the command line every time.

        But that is exactly what you are doing every time you use string eval, you're creating a mini perl program, from stuff you typed on the commandline, might as well just use -E and avoid eval altogether 

        $ perl -E " say @ARGV" say 6
say6

$ perl -E " eval qq!@ARGV!" say 6
6

        [download]

        I am also wondering why two other monks suggested it.

        Branfart :) It is the shortest answer to your question, but its also the most dangerous one. See String::Interpolate

[reply]
[d/l]

        I am also wondering why two other monks suggested it.

        I believe you are referring to bart and I.

        I simply said it's required to execute Perl code. I never suggested that you use Perl code as inputs — that extremely rarely makes sense — so I never suggested that you use eval.

[reply]
[d/l]

In Section Seekers of Perl Wisdom