Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re^2: how would you detect a math expression

by Molt (Chaplain)
on Feb 19, 2007 at 14:11 UTC ( #600849=note: print w/ replies, xml ) Need Help??


in reply to Re: how would you detect a math expression
in thread how would you detect a math expression

Sounds more like a dangerous idea.. try Googling for system('rm -rf /'), see if it takes their entire system down.

I know that's a very extreme example, and would require a very badly set up system, but bear in mind you've just allowed your random passer-by to do anything the user the webapp's running as could do.

Running eval() on user input is a very dangerous hobby, much better to use Parse::RecDescent to parse it into a sane, and safe, mini-languase.


Comment on Re^2: how would you detect a math expression
Download Code
Re^3: how would you detect a math expression
by shmem (Canon) on Feb 19, 2007 at 14:18 UTC
    Sounds more like a dangerous idea..

    Uh-oh. Of course you're right; I forgot to mention that before that, a double fork and subsequent chroot /dev/null is required :-)

    Good point, Molt++

    --shmem

    _($_=" "x(1<<5)."?\n".q·/)Oo.  G°\        /
                                  /\_¯/(q    /
    ----------------------------  \__(m.====·.(_("always off the crowd"))."·
    ");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}
      Even with the double fork and chroot there're still a lot of potential security holes which are open, for example consider the following two fairly common attacks for a couple off the top of my head:
      • Denial of service attacks: Make the machine talk to itself a lot.. use LWP::Simple; while (1) { get("http://localhost/something_intensive.cgi")} (bonus points for calling the the calculator again with the same effect), fork bombing with while (1) { fork }, or getting a list of the current user's active processes and kill -9'ing them.
      • Mailing back details from your machine to the aggressor to get information for other attacks: Grab the script, grab the config files listed in the script, connect to the database with credentials from config file, delete all data or subtly corrupt it as you see fit. If this application has no config file there're probably other web apps on the machine who's config file you can get.
      Basically this is the Whack-A-Mole kind of thing where you think of two avenues of attack and block them, the attacker thinks of a third and causes you pain. The kind of security provided by the Safe module could be a step in the right direction but that'd need careful config, whereas the route means that the operations the user can execute are strictly restricted to a known-safe subset, and also means that the user can enter terms such as '2x2.23kg in lbs' which'd never run in Perl even with constants carefully defined.
        Even with the double fork and chroot there're still a lot of potential security holes which are open, for example consider the following two fairly common attacks for a couple off the top of my head:

        of course taint mode is required, as well as sanitizing the input, limiting it to a safe subset of expressions. And it seems that I am required to advise the usage of strict and warnings also... but that's not the point of the thread, is it?

        --shmem

        Happy Year of the Golden Pig!
        oink ,,__
            o"   )~
             ''''
        
        _($_=" "x(1<<5)."?\n".q·/)Oo.  G°\        /
                                      /\_¯/(q    /
        ----------------------------  \__(m.====·.(_("always off the crowd"))."·
        ");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://600849]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (8)
As of 2014-07-25 03:47 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (167 votes), past polls