Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine

Re^3: Passing argument into STDIN inside reval

by 7stud (Deacon)
on Feb 12, 2013 at 18:06 UTC ( #1018421=note: print w/replies, xml ) Need Help??

in reply to Re^2: Passing argument into STDIN inside reval
in thread Passing argument into STDIN inside reval

That's confounding. I printed out the masks for both permit(qw(print readline)) and permit_only(qw(print readline)) using printf():
printf "%vd \n", $compartment->mask;

...and they are clearly different, which means a compartment allows some default operations that permit_only() must be erasing. Rereading the Safe docs, there is a set of default operations bundled under :default that are allowed. You have to check the Opcode docs to see which operations that :default includes. I'm not sure which ones I erased with permit_only() that are needed to reval() my sample code--but in any case it looks like if you want to use permit_only(), then you probably need a pretty good grasp of perl internals.

I did a bunch of trial and error, and to get permit_only() to work on my sample code, I need all these:

$compartment->permit_only(qw( print readline :base_core :base_mem :base_orig) );
The :default bundle of operations that a compartment allows consists of a bevy of other bundles:


See the Opcode docs for which operations are included in each of those bundles.

Replies are listed 'Best First'.
Re^4: Passing argument into STDIN inside reval (Update: which opcodes to enable)
by Dallaylaen (Hermit) on Feb 14, 2013 at 21:14 UTC

    Thanks for pointing out Opcode.

    So here's my opcode hunter:

    #!/usr/bin/perl -w use strict; use Opcode qw(opset opmask_add opset_to_ops invert_opset); my $code = shift; defined $code or die "Usage: $0 <code> <permitted_opcode> <permitted_opcode> ...\n" +; # skip some masks from prev operations my %skip; $skip{$_}++ for @ARGV; my @all = opset_to_ops(invert_opset(opset())); # Try all opcodes, print error if eval failed foreach ( @all ) { $skip{$_} and next; opmask_add(opset($_)); eval $code and next; print "Eval failed on opcode: $_ with error: $@\n"; exit 1; }; print "Eval OK\n";

    For input "my $x; 1" it requires four operators - const padany lineseq leaveeval

    padany is the one responsible for the "private vatriable" error observable in this thread.

    Now how come private variable is needed in "eval 1"? SIGDIE is my friend! Sooo... Let's get a stack trace:

    #!/usr/bin/perl -w use strict; use warnings; use 5.012; use Safe; use Carp; my $code = shift; die "Usage: $0 <code> <premitted op> <permitted op> ..." unless define +d $code; my @perm = @ARGV; print "Trying: $code\n"; my $compartment = Safe->new; $compartment->share('*STDIN'); $compartment->share('&Dumper'); $compartment->permit_only(@perm); # Trap detailed stack trace my $stack; local $SIG{__DIE__} = sub { $stack = Carp::longmess(shift) }; print $compartment->reval($code); if ($@) { print "Unsafe code detected: $@"; print "At: $stack"; }

    Here's my stack trace (note Carp complaining).

    bash$ perl 1 Trying: 1 Unsafe code detected: 'private value' trapped by operation mask at (ev +al 5) line 1. At: 'private value' trapped by operation mask at (eval 5) line 1. at (eval 5) line 1 eval 'my $__ExPr__;1 ;' called at (eval 4) line 1 main::__ANON__(** Incomplete caller override detected; @DB::args w +ere not set **) called at /usr/share/perl/5.14/ line 358 eval {...} called at /usr/share/perl/5.14/ line 358 Safe::reval(** Incomplete caller override detected; @DB::args were + not set **) called at line 26

    Aha, so Safe has added a "my" to my code before executing it. Finally, let's enable opcodes found by first script:

    bash$ perl 1 padany const leaveeval lineseq Trying: 1 1
    Conclusion: No sensible code will be ever executed by a compartment w/o these four opcodes.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1018421]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (4)
As of 2018-05-27 23:46 GMT
Find Nodes?
    Voting Booth?