Evaluating user-defined conditions
Abigail
abigail at abigail.be
Tue Jun 10 08:20:36 BST 2014
On Tue, Jun 10, 2014 at 07:10:30AM +0100, Andrew Beverley wrote:
> On Mon, 2014-06-09 at 11:36 +0100, Andrew Beverley wrote:
> > Dear all,
> >
> > I'd like to take a condition specified by a user and use it to perform a
> > set of tests on a data set. Is there a module to do this?
>
> Thanks for all the replies.
>
> Indeed, I can't trust the user input, but nonetheless I wondered whether
> I could still use eval, but heavily sanitise the input. It seems a lot
> easier than than using a parser.
Doubtful.
> Can anyone see anything wrong with the following? The user-supplied
> variables are specified in square brackets, e.g. "[age]"
>
> # Sub in the variable values
> foreach my $var (@variables)
> {
> my $value = ... # Could be a string in quotes
> $code =~ s/\[$var\]/$value/gi;
> }
>
> # Sanitise
> $_ = $code;
> return unless /^[ \S]+$/; # Only allow normal spaces
> return if /[\[\]]+/; # No brackets should remain
> return if /\\/; # No escapes please
> s/"[^"]+"//g; # Remove quoted strings
> m!^([-()*+/0-9<> ]|&&|eq)+$! or return; # Allowed expression chars
So, you excluding having any alpha char (except 'eq') in the resulting
expression? Because that's what the last line does. Perhaps that's your
intention, because I've no idea what $value is going to be, other than
"it could be a string in quotes".
Now, if you do allow for alpha characters to be present, you have to make
sure things like "system qw xrm -rf foox" are filtered out. (As you can see,
the "remove quoted strings" isn't much of a filter -- q, qq, qw, qx, qr, s, m,
and y can take any delimiter).
Abigail
More information about the london.pm
mailing list