limit eval to caller local variables

F

FangQ

hi

I don't know if this is possible in perl. Basically, I had a cgi script
written in perl (based on UseModWiki), I want to allow users to define
customized rules to automatically modify the associated wiki pages.
These rules are defined in a normal wiki page, and are read and
executed (use eval() ) when user browse other wiki pages that are
associated with this rule file.

my question is, since users can write any valid perl script in these
rule files, I don't know if there is a way to limit the variables that
users can modify, say only those within the caller. I also don't want
user to do any file io operations. is this possible with eval?

a simpler but similar example can be found for $EarlyRules and
$LateRules, see
http://www.usemod.com/cgi-bin/wiki.pl?LateRules
and the actual eval is in sub EvalLocalRules() in
http://www.usemod.com/wikicode/usemod10.tar.gz

thanks

Qianqian
 
S

Sumo Wrestler (or just ate too much)

FangQ said:
[...] since users can write any valid perl script in these
rule files, I don't know if there is a way to limit the variables that
users can modify, say only those within the caller. I also don't want
user to do any file io operations. is this possible with eval?
[...]
Click to expand...

TCL has a feature called Safe-TCL that allows you to create restricted
execution environments (called slave interpreters) where you can remove
commands and variables. By default, the most risky commands are removed
in "untrusted" interpreters. That is something outside of Perl that you
might look into.

Within Perl, there are some modules on CPAN that have the word "safe" in
them. Perhaps they can help you.
 
A

Ala Qumsieh

FangQ said:
my question is, since users can write any valid perl script in these
rule files, I don't know if there is a way to limit the variables that
users can modify, say only those within the caller. I also don't want
user to do any file io operations. is this possible with eval?
Click to expand...

Not sure exactly, but the closest thing I know of is Safe. 'perldoc
Safe' for more info.

--Ala
 
I

Ilya Zakharevich

[A complimentary Cc of this posting was sent to
FangQ
my question is, since users can write any valid perl script in these
rule files, I don't know if there is a way to limit the variables that
users can modify, say only those within the caller. I also don't want
user to do any file io operations. is this possible with eval?
Click to expand...

To protect agains a benign code doing unexpected things, there is a
Safe module. If the environment is hostile, it is more or less
impossible to protect against in the current Perl.

Hope this helps,
Ilya
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to get values and ref types from caller package 3
exec dynamic script, capture output, but see vars of caller? 1
eval() woes 8
FAQ 5.9 How can I make a filehandle local to a subroutine? How do I pass filehandles between subrou 0
FAQ 3.17 Is it safe to return a reference to local or lexical data? 0
Forward variables to cgi script 5
FAQ 7.24 How can I catch accesses to undefined variables, functions, or methods? 0
Local class variables? (mod_python problem) 9

Members online

No members online now.
Total: 25 (members: 0, guests: 25)
Robots: 350

Forum statistics

Threads
473,755
Messages
2,569,537
Members
45,022
Latest member
MaybelleMa

Latest Threads

Top