Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris

Re^2: ascii colors from text file

by extremely (Priest)
on Mar 02, 2007 at 20:37 UTC ( #602957=note: print w/replies, xml ) Need Help??

in reply to Re: ascii colors from text file
in thread ascii colors from text file

Of course, if he parses the file by splitting on white space and then on "=" like most people would first think to do, then you've ensured that anyone who can edit the color file can cause him to run arbitrary code.

Maybe not a big deal for him but probably not a great meme to spread around.

Worse, your example evals the final string, not the color text once when parsing. That means if he has "$1 dollar" anywhere in his text he's getting lord knows what in place of "$1"... probably "=" or the last title word ("color15"?) depending on how his parser works. Hopefully he won't print a nice "$$$$$$$$$$$$" anywhere when decorating his report. :)

$you = new YOU;
honk() if $you->love(perl)

Replies are listed 'Best First'.
Re^3: ascii colors from text file
by almut (Canon) on Mar 02, 2007 at 22:53 UTC

    Yeah sure, I agree that eval is always potentially dangerous... I figured this is rather well-known. And, I wasn't trying to spread "great memes" :)   Rather, I was simply trying to generically answer the problem of "Normally, I would use a double quoted string in my script... now what do I do to arrive at the same effect when I hold the part in between the quotes literally in a string, like when having read it from a file?"   Nowhere in the OP was any mention of other people potentially having control over the input.

    Along similar lines you'd have to warn people every time they interpolate some variable into some command like

    system "convert $imgname.png $imgname.jpg"
    because, if $imgname could potentially come from an insecure source, they might get into trouble inadvertendly running something like

    system "convert ; rm -rf ~/* ;.png ..."

    I'd probably even mention it if the danger is obvious, like someone inexperienced trying to execute code like this in CGI context or some such, but otherwise... should we always warn?

      [about string eval to enforce interpolation]

      I'd probably even mention it if the danger is obvious, like someone inexperienced trying to execute code like this in CGI context or some such, but otherwise... should we always warn?

      Well, you don't know in what context someone will read your write-up in the future. Even in the given context, I am by no means sure if the original author is aware of the possible risk. She or he accepted the advice rather light-heartedly. I think we should always warn.


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://602957]
[1nickt]: Corion HPs? ugh. I was impressed with Lenovo's gaming laptops; if it weren't for the red backlighting and general flashiness of the aesthetic, I might have gone with that. But all that was until I discovered that the Dell Precision line is still around.
[1nickt]: stevieb I don;t doubt that there's a difference. BestBuy has "consumer" models only on display.
[ambrus]: 1nickt: for some reason, these days they call every computer "gaming", even ones that gamers wouldn't buy. I've bought a keyboard that was labelled "gamer", despite that it has hard springs and seems to be way better for typing than for gaming;
[1nickt]: I though the gamers like that because they bash the keys so hard.
[ambrus]: and I've seen motherboards with no fast expansion ports for a video card but built-in hardware RAID advertized as "gaming".
LanX has a shaming laptop
[ambrus]: 1nickt: my impression is that the gamers like the softer springs, because fast reaction time is more important to them then feedback from keypresses to recognize typos.

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (14)
As of 2017-03-27 13:41 GMT
Find Nodes?
    Voting Booth?
    Should Pluto Get Its Planethood Back?

    Results (320 votes). Check out past polls.