Evaluating user-defined conditions

James Laver james.laver at gmail.com
Mon Jun 9 13:10:35 BST 2014

On 9 Jun 2014, at 12:39, Abigail <abigail at abigail.be> wrote:

> In short, Safe.pm may be the answer, but depending on who your users are,
> it may be overkill, or still contain too many hooks for an attacker.

In short, if you trust the input, just eval() it, and if you don’t, you want a parser.

You might consider transforming it automatically into postfix notation and building a really simple stack machine if you just want basic arithmetic and placeholders. Otherwise, I can recommend Parse::RecDescent. Perhaps you can be cheeky and get them to write some yaml like this:

operation: +
  - 1
  - operation: -
  - with:
    - 2
    - operation: *
    - with: [3,4]

Not very user friendly, but very easy to work with. It depends how much effort you’re willing to put in and whether you trust the input.


More information about the london.pm mailing list