That should be sanitized somehow. IDK exactly how but that looks like perl injection/rooting. | [reply] [Watch: Dir/Any] |
It is - using eval to execute user supplied 'stuff' is dangerous. However it's _most_ dangerous when the program runs as a privileged user (e.g. web server, database instance). If I write a script, and then 'break' it, then I don't elevate my privileges, so at best it's a cute trick, on a part with using perl to 'process' STDIN.
A case in point
If however, you do have potential privilege escalation, then it's very important to sanitise your inputs. Normally, you'd do this by 'whitelisting' certain characters (e.g. numbers + arithmetic operators) and removing anything that isn't. URI::Escape may be useful for that - if you do it right, a regular expression will do the trick, but I can't elaborate off the top of my head.
| [reply] [Watch: Dir/Any] |
| [reply] [Watch: Dir/Any] |