Re: [MacPerl] Dangerous cgi-script

[Christian Huldt <chr@solvare.se>]

At 20.57 +0200 on 97-07-10, Claes Bjorklund wrote:


> >At 9.23 7/10/97, Claes Bjorklund wrote:
> >>Is this this cgi script dangerous?
> >
> >>$math = $FORM{'calc'};
> >>$res=eval "$math";
> >
> >Yes.  Now, it is not as dangerous as it is on a UNIX box, but it is still
> >dangerous.  Any Perl statement can be executed by the web user.
> >
> >Imagine the calculation was something like this, but only more damaging:
> >
> >        MacPerl::Answer('Erase System Folder?', 'OK')
> >
> [...]
> Hi
>
> How I do a script which is safe,I understand must do some check of the
> input, please help me, I am a beginner
>

Hej!
HŠr Šr ett fšrslag, men det Šr knappast optimalt, sŒ vi fŒr se vad
macperllistan sŠger...

pršva (=try)
> >>$math = $FORM{'calc'};
@math = split(/\b/,$math);
foreach (@math){
 s/([a-zA-Z]+)//g unless $_ eq "sin" || $_ eq "cos" || $_ eq "tan" || $_ eq
"ln";
 # not sure about Perl's math...
}
$math = join("",@math);

> >>$res=eval "$math";

but I'm sure this can be more efficiently, so I'm cc:ing the list

Christian
<http://www.solvare.se/individer/christian/>
________________________________________________________
Solvare - mathematics consulting & macintosh automation
<mailto:info@solvare.se>         <http://www.solvare.se>       



***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch