Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Re^2: Execute a string which has math operation

by bulk88 (Priest)
on Jan 05, 2014 at 07:23 UTC ( #1069364=note: print w/ replies, xml ) Need Help??


in reply to Re: Execute a string which has math operation
in thread Execute a string which has math operation

That should be sanitized somehow. IDK exactly how but that looks like perl injection/rooting.


Comment on Re^2: Execute a string which has math operation
Re^3: Execute a string which has math operation
by Preceptor (Chaplain) on Jan 05, 2014 at 10:22 UTC

    It is - using eval to execute user supplied 'stuff' is dangerous. However it's _most_ dangerous when the program runs as a privileged user (e.g. web server, database instance). If I write a script, and then 'break' it, then I don't elevate my privileges, so at best it's a cute trick, on a part with using perl to 'process' STDIN.

    A case in point

    If however, you do have potential privilege escalation, then it's very important to sanitise your inputs. Normally, you'd do this by 'whitelisting' certain characters (e.g. numbers + arithmetic operators) and removing anything that isn't. URI::Escape may be useful for that - if you do it right, a regular expression will do the trick, but I can't elaborate off the top of my head.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1069364]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (8)
As of 2014-11-26 20:46 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My preferred Perl binaries come from:














    Results (173 votes), past polls