Subroutines in an eval'ed user-script 
Author Message
 Subroutines in an eval'ed user-script

Greetings,
        I'm wondering if this is a reasonable thing to do.  One of my
scripts is supposed extract some user-defined information from a group
of files.  The user should be able to tell me what file, lines, and
column to get the data from, and the user should be able to say what
to do with the data.  I want the user to be able to do:

----In user's file--------------------------
...
Extraction:
     $value1 = val( "afile.dat", 365, 3);
     $value2 = sum( "afile.dat", 370, 390, 4);
     $value3 = $value1 + value2;
     return $value3;
...
-----End of user's file ---------------------

And the perl script should do this.  I make an array of the commands

(I've put it at the end) as does the subroutine sum().

To actually operate this thing, I do:



print $returned_val;

This works.  My questions are:

1. Is this at all reasonable?  How else can I do this that would be
        better?  Is there a security hole here?

2.  Why does


    work, but


    and

    do not?

3.  It is conceivable that this thing does not eval'ed until far into
        the program.  How can I do a syntax check on it at the
        beginning?  I want to do a "perl -c" on it at the "read-in"
        stage.

--
Clark

sub val {

   # Check for "goodness" of $fromline and $col.  
   ...

   $returnval = 0;
   if ( -e $filename) {
      open( FN, $filename) or die "Could not open $filename";
      while (defined($line=<FN>)) {
         if ($. == $fromline) {

            $returnval = $vals[$col-1];
            return $returnval;                          
         }
      }
      close( FN );
   }
   else {
      die "The file $filename does not exist ($!)";
   }
   # If we get here, then we missed it.  Return 0;
   return $returnval;

Quote:
}



Tue, 25 Jan 2000 03:00:00 GMT  
 Subroutines in an eval'ed user-script


Quote:
> One of my scripts is supposed extract some user-defined information from
> a group of files.  The user should be able to tell me what file, lines,
> and column to get the data from, and the user should be able to say what
> to do with the data.

Why don't you make your program into a module, and let the user 'use' it
in his or her own script?

Quote:
> I want the user to be able to do:

> ----In user's file--------------------------
> ...
> Extraction:
>      $value1 = val( "afile.dat", 365, 3);
>      $value2 = sum( "afile.dat", 370, 390, 4);
>      $value3 = $value1 + value2;
>      return $value3;
> ...
> -----End of user's file ---------------------
> 1. Is this at all reasonable?  How else can I do this that would be
>    better?  Is there a security hole here?

You bet there's a security hole. If you're executing code that somebody
else has written, they could slip in a command that could (for example)
mail them a copy of any file which you could read. (You can avoid some of
this with careful use of set-id scripts or modules like Opcode, but it's
easier to let them run the script themselves, if you can.)

Quote:
> 2.  Why does


>     work, but


>     and

>     do not?

They're doing different things, but they all "work". :-)  Let's look at
each one.


The argument is a string made up from a space-separated list of items from







read from a file, you probably wanted this.


But (again) be very cautious about eval'ing arbitrary text strings. If you
can make a module that somebody else can 'use', you're much better off.

Good luck!

--
Tom Phoenix           http://www.teleport.com/~rootbeer/

Randal Schwartz Case:  http://www.rahul.net/jeffrey/ovs/



Tue, 25 Jan 2000 03:00:00 GMT  
 
 [ 2 post ] 

 Relevant Pages 

1. s// using lexicals and refs in an eval'ed string

2. setuid'ed scripts

3. $^T behaves differently in an undump'ed script

4. sort eval doesn't eval

5. http proxy in chroot'ed environment doesn't work - help

6. Can't Get STDOUT from Command Exec'ed with Backticks (Perl5 CGI, IIS)

7. Looking for 'user comments' perl script

8. What's wrong with my eval'ed coderef regexp thingy??

9. Understanding eval { ... } vs eval '...' vs eval ...

10. Order in which connections are accept()'ed

11. cannot access ref'ed value in FETCH correctly

 

 
Powered by phpBB® Forum Software