in reply to Re^6: hex code passed from command line is interpreted literally in substitution
in thread hex code passed from command line is interpreted literally in substitution

perhaps if I were using the 'e' flag it would be a problem.

You're using string eval, its a problem right now, just because I didn't provide working exploit on purpose

That to me is like saying, "go to your terminal, and type ...

Imagine some user telling you , hey, I can't get your program to work, here is what I tried, and then you enter what the user gives you, and you execute rm -rf

Imagine forgetting how your program works, and accidentally getting rm -rf to execute

You do absolutely nothing to ensure that can't happen. The cheapest option is to use taint (-T).

If this is just a program for personal use, why wouldn't you simply use perl -E ... ?

  • Comment on Re^7: hex code passed from command line is interpreted literally in substitution

Replies are listed 'Best First'.
Re^8: hex code passed from command line is interpreted literally in substitution
by Allasso (Monk) on Mar 10, 2011 at 17:18 UTC
    You're using string eval, its a problem right now, just because I didn't provide working exploit on purpose

    Please enlighten me then on how eval works. I just don't see any reason why it would execute anything other than what I give it, ie, s///.

    You do absolutely nothing to ensure that can't happen. The cheapest option is to use taint (-T)

    I agree, there would be no harm in using that.

    If this is just a program for personal use, why wouldn't you simply use perl -E ... ?

    It is a program that iterates through several files and processes them. I wouldn't want to type all of that on the command line every time.

    I'm not resisting your help, I just am not understanding why eval would do what you say it would.

    I am also wondering why two other monks suggested it.
[reply]
      It is a program that iterates through several files and processes them. I wouldn't want to type all of that on the command line every time.

      But that is exactly what you are doing every time you use string eval, you're creating a mini perl program, from stuff you typed on the commandline, might as well just use -E and avoid eval altogether 

      $ perl -E " say @ARGV" say 6
say6

$ perl -E " eval qq!@ARGV!" say 6
6

      [download]

      I am also wondering why two other monks suggested it.

      Branfart :) It is the shortest answer to your question, but its also the most dangerous one. See String::Interpolate

[reply]
[d/l]
        Please enlighten me then on how eval works. I just don't see any reason why it would execute anything other than what I give it, ie, s///.

        Question answered
[reply]

      I am also wondering why two other monks suggested it.

      I believe you are referring to bart and I.

      I simply said it's required to execute Perl code. I never suggested that you use Perl code as inputs — that extremely rarely makes sense — so I never suggested that you use eval.

[reply]
[d/l]
        I'm sorry, I retract that.

        Would you agree then with AM, that it would be possible for eval to execute a system command if the appropriate code were typed in and used as one of the variables in the string below: 
        
eval "s/$arg_1/$arg_2/";

        [download]
[reply]
[d/l]

In Section Seekers of Perl Wisdom