Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Re^3: Small examples of string eval

by BrowserUk (Patriarch)
on May 14, 2006 at 19:05 UTC ( [id://549352]=note: print w/replies, xml ) Need Help??


in reply to Re^2: Small examples of string eval
in thread Small examples of string eval

anyone can run arbitrary code using your script ...

Apart from the fact that only I run the scripts in question, those same bad people you are parnoid about could also type perl -e"the same arbitrary code"

With a tiny bit of programming ...

Show me the code.


Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
Lingua non convalesco, consenesco et abolesco. -- Rule 1 has a caveat! -- Who broke the cabal?
"Science is about questioning the status quo. Questioning authority".
In the absence of evidence, opinion is indistinguishable from prejudice.

Replies are listed 'Best First'.
Re^4: Small examples of string eval
by brian_d_foy (Abbot) on May 14, 2006 at 20:04 UTC

    These discussion typically start with "only I run the script", and that's just a lack of imagination. You know better than that. And, it's not just a script you're running. You're telling the world it's a good idea to follow your example. You know that's not the right thing to do, and you know it's hazardous.

    The expression code is easily handled by Math::Expression (on CPAN), like everything else you want to do. This is what I use when I need this, although I had to modify the source to add ** as an operator (but that's really easy and I'm sure you'll figure it out as easily as you could have found this module, but I'll include the patch for everyone else).

    #!/usr/bin/perl use Math::Expression; my $expr = Math::Expression->new; my $tree = $expr->Parse( "8*1024**3" ); my $answer = $expr->EvalTree( $tree, 0 ); print "My answer is $answer\n";

    And, as you know, security is subverted by a combination of factors. You know that you've taken a shortcut and you know what the problem is. If someone can coerce your code to running as your userid (perhaps through changing the file mode, or even just changing a shell script that uses this script), they have their in. Again, as you know, security happens in layers and you do what you can to prevent unintended uses. You know that your eval shortcut can do a lot more than you want, and you also don't care to make the easy (and re-usable) fix. That's why some people have to be paranoid. :)

    58,59c58,59 < my $HighestOperPrec = 15; < my $PrecTerminal = 16; # Precedence of terminal (or l +ist) - ie operand --- > my $HighestOperPrec = 14; > my $PrecTerminal = 15; # Precedence of terminal (or l +ist) - ie operand 61,65c61,64 < '(' => [17, 17], < 'var' => [16, 16], < 'const' => [16, 16], < 'func' => [16, 16], < '**'=> [15, 15], --- > '(' => [16, 16], > 'var' => [15, 15], > 'const' => [15, 15], > 'func' => [15, 15], 170c169 < --- > 180c179 < elsif($expr =~ s@^(:=|>=|<=|==|<>|!=|&&|\|\||lt|gt|le| +ge|eq|ne|\ *{2}|[-./*%+,<>\?:\(\);])@@) { --- > elsif($expr =~ s@^(:=|>=|<=|==|<>|!=|&&|\|\||lt|gt|le| +ge|eq|ne|[ -./*%+,<>\?:\(\);])@@) { 480d478 < return $left ** $right if($oper eq '**');

    Maybe you don't want to use a module, though, and that's fine. That's a better reason than "that will never happen". There are all sorts of other things you can do to harden your code, but you have to want to do that. At the very least, turn on taint checking and scrub the input.

    --
    brian d foy <brian@stonehenge.com>
    Subscribe to The Perl Review
      These discussion typically start with "only I run the script", and that's just a lack of imagination. You know better than that.

      Um no. Read the thread again. This was not 'advice' to a petitioner, but a response to a request for "Small examples of string eval".

      Your telling the world it's a good idea to follow your example.

      No I am not. I am describing one useful example use I make of string eval.

      Your 'nanny state' attitude reminds of sit-com mothers spelling out "bad words" letter by letter so their children won't understand.

      "Yes. I too find occasions when S-T-R-I-N-G E-V-A-L is U-S-E-F-U-L; but don't tell the K-I-D-S!".

      As for your code example. You had to extend it to deal with exponentiation. How about &, |? How about shift-left (<<) and shift-right(>>)? Or string increment ($n++)? Bitwise operators on strings ($a ^ $b)? Ranges ('a'..'z'; 1..10)? Hash and array variables? sqrt()? The list goes on. And on... And on.

      Perl has a very well designed, tried, and tested expresson parser built in. For the purpose I described, it is illogical to try and recreate it. Talk about re-inventing the wheel and passing up oppertunities for code reuse.

      There are all sorts of other things you can do to harden your code, but you have to want to do that. At the very least, turn on taint checking and scrub the input.

      If you are obtaining input from unknown persons via (say) the web, then these measures are appropriate. If you are obtaining input from a person sat at the keyboard with the ability to run perl(.exe), they are simply pointless.

      Do you put your seatbelt on to drive your car from the drive into your garage?

      There are times when such hardening is appropriate. There are times when it is not. The trick is recognising the difference. I know the difference and I am sure you do too; but unlike you, I do not operate under the premise that other people are not smart enough to understand. Nor do I feel the need to preach about it.


      Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
      Lingua non convalesco, consenesco et abolesco. -- Rule 1 has a caveat! -- Who broke the cabal?
      "Science is about questioning the status quo. Questioning authority".
      In the absence of evidence, opinion is indistinguishable from prejudice.
      The expression code is easily handled by Math::Expression (on CPAN), like everything else you want to do.

      Still believing that sweeping statement? Does this help change your mind?


      Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
      Lingua non convalesco, consenesco et abolesco. -- Rule 1 has a caveat! -- Who broke the cabal?
      "Science is about questioning the status quo. Questioning authority".
      In the absence of evidence, opinion is indistinguishable from prejudice.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://549352]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others rifling through the Monastery: (4)
As of 2024-03-19 05:13 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found