[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] How do you use Safe.pm?



At 9:03 AM -0400 10/24/97, Chris Nandor wrote:
>Well, except that someone could copy his use LWP (or simply copy his HTML
>source) and change the values of the parameters and send that to the CGI
>script.  Purty dangerous.

In that case, you simply make sure your eval is eval'ing a string... and
check for the result.

The eval code in question was doing it's own testing for "eq"... the only
variables in the eval string are from the form... and they are being
compared with "eq".

For eval purposes, something like:

eval "qq/$var1/ eq qq/$var2/";

Will do a string compare with $var1 and $var2 being expanded with no fear
of the strings being interpretted as code.

The only danger, as I meantioned before is:

eval ""qq/$var1/ $op qq/$var2/";

Because op could be *anything* at this point.  Since the original poster
knows they want it to be '<', '>', or '='... then a simple test before hand
is in order to make sure someone can't change that variable op.

Overall from what I saw from the original poster.... there's nothing much
to be concerned about.  As I stated.... I think Safe.pm might be a bit of
overkill.

However.... if anyone here wants to use Safe... here's some quick example code:

use Safe;
my $safeCode = new Safe 'SafeCode';

# $safeCode->trap(opcodename)
# $safeCode->untrap (opcodename)

my $code = "print qq/Hello World/;";
$safeCode->reval($code);

print "Error in SafeCode: $@" if $@;

1;


The subs trap and untrap set up which opcode names are allowed or not.  You
can find the opcode names in opcode.h if I remember correctly.

The Safe module calls an XSUB that switches out the main:: tablespace with
it's own when eval'ing via the reval method.  Remember... since main:: is
temporarily switched out, you will not have access to any variables outside
of the reval call unless you 'share' them.  Check out the Safe.pm source to
see the calls for sharing vars or Programming Perl 2nd Ed pg 491.

However, Safe.pm has changed since those docs... and many of the calls do
not work any longer.  The opcode manipulatiojn functions mostly do not work
because a new module Opcode.pm was created which handles manipulation of
opcode masks.

Checking out the Safe.pm and Opcode.pm source helps out a lot to understand
what is really going on.

Personally, I've written my own share method for my product... and after
the new Safe.pm module broke my code once, I've been cautious about relying
on some of the calls.  I don't like moving APIs for production code.

If anyone else has any further questions about Safe.pm, I'd be happy to
answer.  I haven't had a chance yet to fully test out Safe.pm under
MacPerl.  As I get into testing my product for MacPerl, I'll have a good
feel for how well it functions on the Mac (though I expect now surprises).

mark


PowerPerl(tm),  mailto:info@powerperl.com   http://www.powerperl.com
       A product of Tyrell Software Corp.   http://www.tyrell.com



***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch