Evaluating user-defined conditions

Andrew Beverley andy at andybev.com
Tue Jun 10 09:26:17 BST 2014

On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote:
> >     # Sanitise
> >     $_ = $code;
> >     return unless /^[ \S]+$/;               # Only allow normal spaces
> >     return if /[\[\]]+/;                    # No brackets should remain
> >     return if /\\/;                         # No escapes please
> >     s/"[^"]+"//g;                           # Remove quoted strings
> >     m!^([-()*+/0-9<> ]|&&|eq)+$! or return; # Allowed expression chars
> So, you excluding having any alpha char (except 'eq') in the resulting
> expression? Because that's what the last line does. Perhaps that's your
> intention, because I've no idea what $value is going to be, other than
> "it could be a string in quotes".

Yes, $value is either an integer or a string in quotes. The 2 lines
previous to the last line should remove any string in quotes, therefore
just leaving operators and integers?

> Now, if you do allow for alpha characters to be present, you have to make
> sure things like "system qw xrm -rf foox" are filtered out. (As you can see,
> the "remove quoted strings" isn't much of a filter -- q, qq, qw, qx, qr, s, m,
> and y can take any delimiter).

I'm happy to be restrictive to the user, and only allow straightforward
strings in double quotes. So anything else is removed or not allowed,
and the strings in quotes are checked as above.

I would not be surprised if I've missed something though!


More information about the london.pm mailing list