in reply to How to delete a file with a print statement
print is an innocent bystander here. No string passed to print will cause rm to execute. The `...` operator is being executed while building the string to pass to print. You could remove the print and you would get the same result.
> perl -Te "print qq{$var{die()}}" Died at -e line 1. > perl -Te "qq{$var{die()}}" Died at -e line 1.
A string literal (as opposed to a string) is a form of code. In fact, quotes, qq and the other string literal delimiters are listed as operators in perlop. Like other operators, the compiler (perl or eval EXPR) is required to convert them and their operands into executable form. String literal are only string literals in the context of source code, and will not get executed unless they are first compiled.
Most string literals result in code that simply returns a constant string ("Hello World!\n") or in code that performs concatenation ("Hello $name!\n"). However, it is well known that string literals can excute arbitrary code using the reference-dereference-array trick you mentioned. There are other ways.
perl -e "print qq{... @{[ ...arbitrary Perl expr... ]} ...}" perl -e "print qq{... ${ ...arbitrary Perl expr... } ...}" perl -e "print qq{... $var{ ...arbitrary Perl expr... } ...}" perl -e "print qq{... $var[ ...arbitrary Perl expr... ] ...}"
I wouldn't call this a new security hole, since eval is needed to exploit it.
Updated for readability and clarity, but no changes were made to the substance of the post.
|
|---|