CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
Search Posts SEARCH
Who's Online WHO'S
Log in LOG

Home: Perl Programming Help: Advanced:
eval() security



Jan 23, 2001, 12:59 AM

Post #1 of 4 (2533 views)
eval() security Can't Post

For a particular program I'm working on, it will be helpful to be able to eval() user input.

Now if your pulse just rose 200 bpm, it's ok, I am aware of the glaring security risks. What I'm trying to do is let the user enter things such as equations so as to return a value that can be plugged into a HTML template and printed to the browser. If there's a better way than eval (such as a module that handles this sort of thing), then I really want to hear it. Otherwise, I'm looking at eliminating the security issues from evalling user input.

Here's what I propose:

1. Remove all backticks (`) and pipes (|) from the input (note, || could be useful, but we're only talking simple evaluations, so "or" would suffice).

2. Remove all barewords, and therefore functions from the input (there may be some useful functions like sin and cos that could be useful, it would be easy enough to keep them).

3. Remove any variables (those starting with $, @ or %) - could typeglobs be a problem? Removing them would require some discretion, so as to avoid the multiplication symbol (come to think of it, % inteferes with modulus too)

3. Double over to be sure of removing some particularly nasty functions like system, exec and unlink, and also file handling functions.

4. I was also pondering whether removing all whitespace would help? But that's probably covered already (the reason being that two consecutive function calls could be eliminated by removing the space between them, but that could also create new problems if the user entered "un link" for example).

Any thoughts? I'm just wondering if you think that those ideas will work, and anything that I should perhaps change or add. Or, of course, if there's another way entirely (that can handle equations and conditional expressions).


Enthusiast / Moderator

Jan 23, 2001, 7:15 AM

Post #2 of 4 (2528 views)
Re: eval() security [In reply to] Can't Post

You might want to look into the module, which allows you to execute code in a sandbox. You can specify what OPs to allow (so you can effectively lock the user down to using mathematical functions, simple operators, and the like).

Jeff "japhy" Pinyan -- accomplished hacker, teacher, lecturer, and author


Jan 23, 2001, 11:22 PM

Post #3 of 4 (2519 views)
Re: eval() security [In reply to] Can't Post

Thanks japhy. I had a look at the Safe module and did some experimenting, it seems to be exactly what I need.

Enthusiast / Moderator

Jan 24, 2001, 6:55 AM

Post #4 of 4 (2506 views)
Re: eval() security [In reply to] Can't Post

Excellent. Glad to be of help.

Jeff "japhy" Pinyan -- accomplished hacker, teacher, lecturer, and author


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives