[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] How do you use Safe.pm?



"Mark F. Murphy" <markm@powerperl.com> writes:
>In that case, you simply make sure your eval is eval'ing a string... and
>check for the result.
>
>The eval code in question was doing it's own testing for "eq"... the only
>variables in the eval string are from the form... and they are being
>compared with "eq".
>
>For eval purposes, something like:
>
>eval "qq/$var1/ eq qq/$var2/";
>
>Will do a string compare with $var1 and $var2 being expanded with no fear
>of the strings being interpretted as code.

Sorry, unless I misunderstand you, I have to disagree: $var1 could have been
set to something like

xy/,SOMETHINGEVIL,qq/za

And when interpolated and evaled, anything could happen. A similar effect can
be obtained when $var contains:

@{[somethingevil]}

Therefore, an eval is only safe if the string is checked with something like

$var1 =~ /^[A-Za-z \t,.]+$/

first.

Matthias

-----
Matthias Neeracher   <neeri@iis.ee.ethz.ch>   http://www.iis.ee.ethz.ch/~neeri
   "I'm set free to find a new illusion" -- Velvet Underground


***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch