[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] How do you use Safe.pm?



At 16.28 10/24/97, Mark F. Murphy wrote:
>What's needed is to build the eval string for the op... and still use the
>variables.  Since eval uses the my vars from the enclosed block, using the
>vars in the eval is the way to go.

Well, I think the best way is to use regexs to verify the incoming text.  That will do two things:

1.)  It will safely make sure the data is precisely as you expect it (if you construct the regex properly).

2.)  It will untaint the data (if you have taint checks on, which you should (though MacPerl 5.1.4 does not allow taint checking right now)).

>From perlsec:

        Laundering data using regular expression is the ONLY mechanism for
        untainting dirty data, unless you use the strategy detailed below to 
        fork a child of lesser privilege.

Actually, a HANDLE is also inherently tainted, and it can be untainted with the untaint() method in IO::Handle.  But we are talking about variables, not handles.

That's the main problem with eval'ing it.  Even if you can accomplish #1, you can't accomplish #2.  You should have taint checks on, and eval won't untaint the data.

Of course, that's all providing you can use the -T flag in the next release ...

--
Chris Nandor               pudge@pobox.com           http://pudge.net/
%PGPKey=('B76E72AD',[1024,'0824 090B CE73 CA10  1FF7 7F13 8180 B6B6'])
#==                    MacPerl: Power and Ease                     ==#
#==    Publishing Date: Early 1998. http://www.ptf.com/macperl/    ==#



***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch