Evaluating user-defined conditions

Abigail abigail at abigail.be
Tue Jun 10 08:20:36 BST 2014

On Tue, Jun 10, 2014 at 07:10:30AM +0100, Andrew Beverley wrote:
> On Mon, 2014-06-09 at 11:36 +0100, Andrew Beverley wrote:
> > Dear all,
> > 
> > I'd like to take a condition specified by a user and use it to perform a
> > set of tests on a data set. Is there a module to do this?
> Thanks for all the replies.
> Indeed, I can't trust the user input, but nonetheless I wondered whether
> I could still use eval, but heavily sanitise the input. It seems a lot
> easier than than using a parser.


> Can anyone see anything wrong with the following? The user-supplied
> variables are specified in square brackets, e.g. "[age]"
>     # Sub in the variable values
>     foreach my $var (@variables)
>     {
>         my $value = ... # Could be a string in quotes
>         $code =~ s/\[$var\]/$value/gi;
>     }
>     # Sanitise
>     $_ = $code;
>     return unless /^[ \S]+$/;               # Only allow normal spaces
>     return if /[\[\]]+/;                    # No brackets should remain
>     return if /\\/;                         # No escapes please
>     s/"[^"]+"//g;                           # Remove quoted strings
>     m!^([-()*+/0-9<> ]|&&|eq)+$! or return; # Allowed expression chars

So, you excluding having any alpha char (except 'eq') in the resulting
expression? Because that's what the last line does. Perhaps that's your
intention, because I've no idea what $value is going to be, other than
"it could be a string in quotes".

Now, if you do allow for alpha characters to be present, you have to make
sure things like "system qw xrm -rf foox" are filtered out. (As you can see,
the "remove quoted strings" isn't much of a filter -- q, qq, qw, qx, qr, s, m,
and y can take any delimiter).


More information about the london.pm mailing list