Limited form of eval() - just a calculator 
Author Message
 Limited form of eval() - just a calculator

Hi,

I have a little ircbot with a 'calculate' command. Currently I'm just
performing an eval() on the string the user attempts to calculate, but I
want to try and restrict the things the user can do. I only want to offer
the maths functions (+, -, *, /, %, sin(), cos(), log() etc.) and want to
stop them from doing things like 'undef($self)' or `rm -rf /' for example.

I couldn't find a limited form of eval on cpan, so I was wondering if
anyone has had to do this before, and could perhaps point me in the right
direction before I start writing my own calculator module.

Many thanks,

Tony

--------------------------------------
web:   http://www.*-*-*.com/
email: mercutio at digitalrice dot com
--------------------------------------



Sat, 10 Sep 2005 09:40:01 GMT  
 Limited form of eval() - just a calculator
Also sprach Tony McNulty:

Quote:
> I have a little ircbot with a 'calculate' command. Currently I'm just
> performing an eval() on the string the user attempts to calculate, but I
> want to try and restrict the things the user can do. I only want to offer
> the maths functions (+, -, *, /, %, sin(), cos(), log() etc.) and want to
> stop them from doing things like 'undef($self)' or `rm -rf /' for example.

> I couldn't find a limited form of eval on cpan, so I was wondering if
> anyone has had to do this before, and could perhaps point me in the right
> direction before I start writing my own calculator module.

Use the Safe module. The little script below should only allow some
mathematical operators:

    #! /usr/bin/perl -w

    use Safe;

    my $comp = Safe->new;
    $comp->permit(qw/int hex oct abs pow multiply i_multiply divide i_divide
                     modulo i_modulo add i_add subtract i_subtract/);

    while (<STDIN>) {
        chomp;
        last if /^exit/;
        my $res = $comp->reval($_);

        print $res, "\n";
    }

See 'perldoc Opcode' (along with 'perldoc Safe' of course) for a list of
operators that you can explicitely permit. The above will also run in
its own namespace so there'll be no clash with any variables.

However, there has been a security issue with the Safe module lately.
See this posting:

<http://groups.google.com/groups?q=group:comp.lang.perl.misc+Safe.pm&h...>

But this problem might not apply to you.

Tassilo
--
{
pam{rekcahbus})(rekcah{lrePbus})(lreP{rehtonabus})!JAPH!qq(rehtona{tsuJbus#;
$_=reverse,s+(?<=sub).+q#q!'"qq.\t$&."'!#+sexisexiixesixeseg;y~\n~~dddd;eval



Sat, 10 Sep 2005 10:02:16 GMT  
 Limited form of eval() - just a calculator

Quote:

> I have a little ircbot with a 'calculate' command. Currently I'm
> just performing an eval() on the string the user attempts to
> calculate, but I want to try and restrict the things the user can
> do. I only want to offer the maths functions (+, -, *, /, %, sin(),
> cos(), log() etc.)  and want to stop them from doing things like
> 'undef($self)' or `rm -rf /' for example.

> I couldn't find a limited form of eval on cpan, so I was wondering
> if anyone has had to do this before, and could perhaps point me in
> the right direction before I start writing my own calculator module.

I think Parse::RecDescent comes with an example calculator, and it's
very appropriate for what you are doing.  As noted, the Safe module
has had problems, and what you need hardly requires an eval() call.

If you write your own grammar (and it's very easy to do so using
Parse::RecDescent) you are sure that your program will only do the
things you want to allow.

It's essentially the difference between taking a nap in the backseat
while someone else is driving (with the Safe module watching in the
passenger seat), and driving the car yourself while taking
directions.

Ted



Sun, 11 Sep 2005 17:38:55 GMT  
 Limited form of eval() - just a calculator

Quote:

> I think Parse::RecDescent comes with an example calculator, and it's
> very appropriate for what you are doing.

[snip]


Quote:

> Use the Safe module. The little script below should only allow some
> mathematical operators:

[snip]

Thanks both of you for your replies, very much appreciated,

Tony

--------------------------------------
web:   http://mercutio.digitalrice.com
email: mercutio at digitalrice dot com
--------------------------------------



Sun, 11 Sep 2005 19:07:04 GMT  
 
 [ 4 post ] 

 Relevant Pages 

1. limiting eval()

2. limiting eval()

3. Limiting Characters - CGI Form

4. Newbie tries to create time-limited form!

5. Limiting Form Field Input?

6. limiting floating digits/formatting form input

7. We're extending the limits of HTML Forms, JavaScript, Dynamic HTML,

8. Got an error and I'm stuck Bad label: _EVAL_ at forms-lib.pl

9. sort eval doesn't eval

10. Test for eval() without using eval() ??

11. eval or not eval

12. **Need Calculator Script*

 

 
Powered by phpBB® Forum Software