variables inside a string

[Tina Müller]

The fact is that if a user knows (or guesses) your statement form,
he/she will be able to splice in code, in any construction of eval "".

not only then. it's way simpler.
consider:
@{[ system('rm ...') ]}
or
${\ system('rm ...') }


always remember that interpolation in perl does more than just replace
$foo with the value of $foo.

 

[sln]

The fact is that if a user knows (or guesses) your statement form,
he/she will be able to splice in code, in any construction of eval "".

not only then. it's way simpler.
consider:
@{[ system('rm ...') ]}
or
${\ system('rm ...') }


always remember that interpolation in perl does more than just replace
$foo with the value of $foo.

Yeah. I'm afraid there is no way around it.
The initial interpolation via form ' eval ""; ' is not the problem, its
the second interpolation during code compilation that does the damage.

use strict;
use warnings;

my @malicous = (
q(@{[ system 'dir a*.pl' ]}),
q( @{[ system 'dir a*.pl' ]}),
);

for my $user_data ( @malicous )
{
print "\n",qq($user_data),"\n";
eval "print '= '.qq(\\$user_data\n)";
print "--> $! - $@\n -------- \n\n";
}
__END__

-sln

 

[Xho Jingleheimerschmidt]

eval EXPR (which that is) is nearly always dangerous.

It is not particular dangerous except when the script runs with
permissions different than those the person supplying the information
being evaled has.

If I provide someone else with a script, and they can run it (as
themselves) and they can maliciously trick it into deleting their own
files, what do I care? If they really want to delete their own files,
they can just do that directly.

Unless it is running setuid, or as the server of a client-server (both
not particularly common, IME) or some type of CGI (quite common) then
eval EXPR isn't all that dangerous. Except to your debugging time. And
sanity.


Xho

 

[Randal L. Schwartz]

Xho> If I provide someone else with a script, and they can run it (as
Xho> themselves) and they can maliciously trick it into deleting their
Xho> own files, what do I care? If they really want to delete their own
Xho> files, they can just do that directly.

Xho> Unless it is running setuid, or as the server of a client-server
Xho> (both not particularly common, IME) or some type of CGI (quite
Xho> common) then eval EXPR isn't all that dangerous. Except to your
Xho> debugging time. And sanity.

You apparently have no sense of responsibility that you are creating
code that *he* will then likely share to people who use it in ways that
*you* did not intend.

Some of the rest of us *do* have that sense.

So, in that sense, we mean "dangerous" as literally that.

It's amazing how much code gets cargo-culted into a completely
unexpected and unrelated application.

print "Just another Perl hacker,"; # the original