Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Re: Re: How to do that with eval ?

by tachyon (Chancellor)
on Apr 10, 2004 at 08:05 UTC ( #344103=note: print w/ replies, xml ) Need Help??


in reply to Re: How to do that with eval ?
in thread How to do that with eval ?

$sop = ";print qq!You have been hacked rm -rf *!;";

String eval + User Input == Shudder. Any. Arbitrary. Code.

cheers

tachyon


Comment on Re: Re: How to do that with eval ?
Download Code
Re: Re: Re: How to do that with eval ?
by perlmonkey (Hermit) on Apr 10, 2004 at 08:12 UTC
    Absolutely. If the above script was a cgi, you might as well reformat your disk now. If the script is meant to be a 'quick hack', evals work, they work well, and with minimal coding.

    I have used unsafe hacks like this for my personal dirty scripts because I dont have the time, inclination, or need to make them luser or h4x0r safe.

    As tachyon says, never use eval on user input unless this is intended to be a 'dirty quick hack'.
      >>"Absolutely. If the above script was a cgi, you might as well reformat your disk now. If the script is meant to be a 'quick hack', evals work, they work well, and with minimal coding."

      Hi,

      In the interests of clarity I'd be grateful if you could make it absolutely clear which of the "above" scripts you are referring to. I'm trying to learn and don't want to inadvertently misunderstand.

      Thanks

      Sid
        By 'above' I was refering to my previous post. If you run an eval on user input, the user input could be anything. In this case if the user instead of entering '>=' like we expect, enters ';`sudo rm -rf /`;' this will make the eval execute this extremely damaging command.

        For more reasons of how to make sure you are not allowing users to do bad things, please read the perlsec manpage

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://344103]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (7)
As of 2014-09-16 05:55 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite cookbook is:










    Results (156 votes), past polls