Banky has asked for the wisdom of the Perl Monks concerning the following question:

I'm trying to create a CGI application that allows users to Safely eval some types of Perl code. Of course I need the Safe module to only allow a small subset of opcodes that are considered safe and useful for this application. Here's a test script I've been writing. It basically goes through and finds what opcodes $line needs to execute. It ex
#!/usr/bin/perl use Opcode; use Safe; my @names = Opcode::opset_to_ops(Opcode::full_opset); my @neededops; use CGI; my $query=CGI::new(); print $query->header(); print "<HTML><BODY>"; foreach $name(@names) { my $cpt; $cpt=undef; $cpt=new Safe; $cpt->share('$name'); my(@ops)=grep { $_ ne $name} @names; $cpt->permit_only(@ops); my $line=q{ print "Opcode: $name\n"; }; $cpt->reval($line); push @neededops, $name if $@; } print "<HR>\n\n@neededops\n"; print "</BODY></HTML>";
It works fine from the command line but when I run it through a browser I get a "The document contains no data" dialog box. If I comment out $cpt->reval($line) this disappears. Any ideas why this might be happening?
Thanks a lot,


Replies are listed 'Best First'.
Re: use Safe and CGI;
by blue_cowdawg (Monsignor) on May 21, 2001 at 23:50 UTC

    You might want to use CGI::Carp qw/fatalsToBrowser/;The caveat I would give in using that is make sure you remove it before you go production with the code.

    Breaking your script would give a would be hacker more information about your CGI environment than what might be healthy...

    Peter L. Berghold --- Peter@Berghold.Net
    "Those who fail to learn from history are condemned to repeat it."

    Edit: chipmunk 2001-05-21

      Thanks for the tip but even when I add that in I get the same error. Anybody got any ideas?
Re: use Safe and CGI;
by no_slogan (Deacon) on May 21, 2001 at 22:55 UTC
    Check your error logs, or use CGI::Carp qw(fatalsToBrowser).
Re: use Safe and CGI;
by Banky (Acolyte) on May 23, 2001 at 07:12 UTC
    Tested it on another server and it works fine. Needless to say I'm befuddled but glad it wasn't my program but some outside/unknown factor. I'm still curious as to what that might be though :)
Re: use Safe and CGI;
by ColtsFoot (Chaplain) on May 22, 2001 at 09:54 UTC
    I added a couple of BRs to improve formating and when I
    I run your script on a Linux box Redhat 6.2, perl 5.004_05
    I get the following output
    <HTML><BODY>Opcode: null<BR> Opcode: stub<BR> Opcode: scalar<BR> Opcode: wantarray<BR> Opcode: gvsv<BR> Opcode: gv<BR> Opcode: gelem<BR> Opcode: padsv<BR> Opcode: padav<BR> Opcode: padhv<BR> Opcode: padany<BR> Opcode: pushre<BR> Opcode: rv2gv<BR> Opcode: av2arylen<BR> Opcode: rv2cv<BR> ... ... Opcode: syscall<BR> <HR>pushmark<BR> <HR>const<BR> <HR>rv2sv<BR> <HR>concat<BR> <HR>stringify<BR> <HR>print<BR> <HR>leaveeval<BR> </BODY></HTML>
    Perhaps you could tell us what output you get when you run
    your script from the command line and a bit more about
    your setup
      This is what I get when I run it from the command line:
      Content-Type: text/html <HTML><BODY>Opcode: null Opcode: stub Opcode: scalar Opcode: wantarray Opcode: gvsv Opcode: gv Opcode: gelem Opcode: padsv Opcode: padav Opcode: padhv Opcode: padany .... Opcode: sgrent Opcode: egrent Opcode: getlogin Opcode: syscall Opcode: lock Opcode: threadsv <HR> pushmark const rv2sv concat stringify print leaveeval </BODY></HTML>
      I'm running perl 5.005_03 and Apache/1.3.9 (Unix) Debian/GNU
Re: use Safe and CGI;
by Anonymous Monk on May 15, 2003 at 02:13 UTC
    I suspect it has to do with mod_perl. I tried this one and some of my own scripts which use Safe, and there were troubles when they ran under mod_perl which disappeared when I turned it off with "SetHandler cgi-script" in an .htaccess file. I would be interested if anyone has found out why mod_perl interferes, and if there is a way to make it work under mod_perl, though.