[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] How do you use Safe.pm?

To: mac-perl@iis.ee.ethz.ch
Subject: Re: [MacPerl] How do you use Safe.pm?
From: Matthias Ulrich Neeracher <neeri@iis.ee.ethz.ch>
Date: Fri, 24 Oct 1997 18:36:49 +0200
In-Reply-To: Your message of Fri, 24 Oct 1997 08:59:37 -0700.

"Mark F. Murphy" <markm@powerperl.com> writes:
>In that case, you simply make sure your eval is eval'ing a string... and
>check for the result.
>
>The eval code in question was doing it's own testing for "eq"... the only
>variables in the eval string are from the form... and they are being
>compared with "eq".
>
>For eval purposes, something like:
>
>eval "qq/$var1/ eq qq/$var2/";
>
>Will do a string compare with $var1 and $var2 being expanded with no fear
>of the strings being interpretted as code.

Sorry, unless I misunderstand you, I have to disagree: $var1 could have been
set to something like

xy/,SOMETHINGEVIL,qq/za

And when interpolated and evaled, anything could happen. A similar effect can
be obtained when $var contains:

@{[somethingevil]}

Therefore, an eval is only safe if the string is checked with something like

$var1 =~ /^[A-Za-z \t,.]+$/

first.

Matthias

-----
Matthias Neeracher   <neeri@iis.ee.ethz.ch>   http://www.iis.ee.ethz.ch/~neeri
   "I'm set free to find a new illusion" -- Velvet Underground


***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch

Follow-Ups:
- Re: [MacPerl] How do you use Safe.pm?
  - From: "Mark F. Murphy" <markm@powerperl.com>

Prev by Date: Re: [MacPerl] How do you use Safe.pm?
Next by Date: [MacPerl] MacPerl as ACGI?
Prev by thread: Re: [MacPerl] How do you use Safe.pm?
Next by thread: Re: [MacPerl] How do you use Safe.pm?
Navigation: Date Index | Thread Index | Search | Other lists at bumppo.net