Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Re^2: Execute a string which has math operation

by bulk88 (Priest)
on Jan 05, 2014 at 07:23 UTC ( #1069364=note: print w/ replies, xml ) Need Help??


in reply to Re: Execute a string which has math operation
in thread Execute a string which has math operation

That should be sanitized somehow. IDK exactly how but that looks like perl injection/rooting.


Comment on Re^2: Execute a string which has math operation
Re^3: Execute a string which has math operation
by Preceptor (Chaplain) on Jan 05, 2014 at 10:22 UTC

    It is - using eval to execute user supplied 'stuff' is dangerous. However it's _most_ dangerous when the program runs as a privileged user (e.g. web server, database instance). If I write a script, and then 'break' it, then I don't elevate my privileges, so at best it's a cute trick, on a part with using perl to 'process' STDIN.

    A case in point

    If however, you do have potential privilege escalation, then it's very important to sanitise your inputs. Normally, you'd do this by 'whitelisting' certain characters (e.g. numbers + arithmetic operators) and removing anything that isn't. URI::Escape may be useful for that - if you do it right, a regular expression will do the trick, but I can't elaborate off the top of my head.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1069364]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (7)
As of 2015-07-02 05:34 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (29 votes), past polls