Evaluating user-defined conditions
Abigail
abigail at abigail.be
Tue Jun 10 10:47:24 BST 2014
On Tue, Jun 10, 2014 at 09:36:07AM +0100, Andrew Beverley wrote:
> On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote:
> > > # Sanitise
> > > $_ = $code;
> > > return unless /^[ \S]+$/; # Only allow normal spaces
> > > return if /[\[\]]+/; # No brackets should remain
> > > return if /\\/; # No escapes please
> > > s/"[^"]+"//g; # Remove quoted strings
> > > m!^([-()*+/0-9<> ]|&&|eq)+$! or return; # Allowed expression chars
> >
> >
> > So, you excluding having any alpha char (except 'eq') in the resulting
> > expression?
>
> Sorry, just realised that I didn't explain myself properly.
>
> It's not what is remaining in $_ that is run, it's the original code
> that is in $code. The sequence above just checks that the code is safe
> to run.
Ah, now I get it. That's far more dangerous that I first thought.
Your code means that you are willing to eval this:
"@{qx (rm -rf /)}" && 1
Removing the quoted string leaves ' && 1', which is accepted by the
final check. Evalling it will try to erase the file system.
Abigail
More information about the london.pm
mailing list