Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > variables inside a string

Reply
Thread Tools

variables inside a string

 
 
Tina Müller
Guest
Posts: n/a
 
      12-08-2010
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
>
> The fact is that if a user knows (or guesses) your statement form,
> he/she will be able to splice in code, in any construction of eval "".


not only then. it's way simpler.
consider:
@{[ system('rm ...') ]}
or
${\ system('rm ...') }


always remember that interpolation in perl does more than just replace
$foo with the value of $foo.

--
http://www.perl-community.de/
http://perlpunks.de/
 
Reply With Quote
 
 
 
 
sln@netherlands.com
Guest
Posts: n/a
 
      12-09-2010
On 8 Dec 2010 13:33:10 GMT, Tina Mller <(E-Mail Removed)> wrote:

>(E-Mail Removed) wrote:
>>
>> The fact is that if a user knows (or guesses) your statement form,
>> he/she will be able to splice in code, in any construction of eval "".

>
>not only then. it's way simpler.
>consider:
>@{[ system('rm ...') ]}
>or
>${\ system('rm ...') }
>
>
>always remember that interpolation in perl does more than just replace
>$foo with the value of $foo.


Yeah. I'm afraid there is no way around it.
The initial interpolation via form ' eval ""; ' is not the problem, its
the second interpolation during code compilation that does the damage.

use strict;
use warnings;

my @malicous = (
q(@{[ system 'dir a*.pl' ]}),
q( @{[ system 'dir a*.pl' ]}),
);

for my $user_data ( @malicous )
{
print "\n",qq($user_data),"\n";
eval "print '= '.qq(\\$user_data\n)";
print "--> $! - $@\n -------- \n\n";
}
__END__

-sln
 
Reply With Quote
 
 
 
 
Xho Jingleheimerschmidt
Guest
Posts: n/a
 
      12-10-2010
Tad McClellan wrote:
>
>
> eval EXPR (which that is) is nearly always dangerous.


It is not particular dangerous except when the script runs with
permissions different than those the person supplying the information
being evaled has.

If I provide someone else with a script, and they can run it (as
themselves) and they can maliciously trick it into deleting their own
files, what do I care? If they really want to delete their own files,
they can just do that directly.

Unless it is running setuid, or as the server of a client-server (both
not particularly common, IME) or some type of CGI (quite common) then
eval EXPR isn't all that dangerous. Except to your debugging time. And
sanity.


Xho
 
Reply With Quote
 
Randal L. Schwartz
Guest
Posts: n/a
 
      12-10-2010
>>>>> "Xho" == Xho Jingleheimerschmidt <(E-Mail Removed)> writes:

Xho> If I provide someone else with a script, and they can run it (as
Xho> themselves) and they can maliciously trick it into deleting their
Xho> own files, what do I care? If they really want to delete their own
Xho> files, they can just do that directly.

Xho> Unless it is running setuid, or as the server of a client-server
Xho> (both not particularly common, IME) or some type of CGI (quite
Xho> common) then eval EXPR isn't all that dangerous. Except to your
Xho> debugging time. And sanity.

You apparently have no sense of responsibility that you are creating
code that *he* will then likely share to people who use it in ways that
*you* did not intend.

Some of the rest of us *do* have that sense.

So, in that sense, we mean "dangerous" as literally that.

It's amazing how much code gets cargo-culted into a completely
unexpected and unrelated application.

print "Just another Perl hacker,"; # the original

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<(E-Mail Removed)> <URL:http://www.stonehenge.com/merlyn/>
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.posterous.com/ for Smalltalk discussion
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Finding a string inside string arnuld C Programming 3 11-23-2010 09:49 AM
Put variables into member variables or function variables? tjumail@gmail.com C++ 9 03-23-2008 04:03 PM
good practice to initalize all instance variables with type String to emptry string?? Matt Java 4 06-23-2004 06:14 AM
Problem with inside to inside traffic after upgrading PIX 515 Cisco 5 06-15-2004 06:34 AM
Dynamic temp. datagrid col.gen. -Session access inside a class inside a UserCtrl Andy Eshtry ASP .Net 0 03-01-2004 11:48 PM



Advertisments