You could do something like this and eval the code you are being given but use a bareblock and a last to ensure that it COMPILES but does not actually ever RUN. The last causes an immediate exit from the block. Comment out the $code = "{last; $code}" to see how this works.

Even using this methodology a malicious coder could force code execution if you allow BEGIN blocks. Comment out the s/BEGIN// to see what I mean. BEGIN {`format C:`} might be a bit of a bummer so we kill these off. By deleting the 'BEGIN' they become ordinary blocks that will never execute owing to the {last; ... } structure.

There may be other security holes in this solution, no doubt they will be duly noted. I used this method in a script (not a CGI!) a while ago because I was totally unable to capture the output of perl -c - it goes to STDOUT on Win32 despite all efforts otherwise. Perl -c also allows BEGIN blocks to !$#% you over as they get EXECUTED even though the rest of the code does not. Abigail has demonstrated a virus based on this behaviour BTW.

Update

jplindstrom reminded me about END blocks and I refresh my memory on CHECK blocks - both these will execute in this structure so I have updated the code to just remove all the blocks constructs.

cheers

tachyon

$code = <<'CODE';
print "Hello World!\n";
BEGIN {print '# hacked #';}
CODE

$code =~ s/BEGIN|CHECK|INIT|END//g; # kill blocks here
$code = "{last; $code}";            # stop test code running
eval $code;

# now have a look see at $@ to see if it contains an error
# due to the test code being invalid.

print $@ ? "Invalid\n" : "Syntax OK\n";
[download]