Am Freitag, 20. Mai 2005 01.24 schrieb Randal L. Schwartz:
> >>>>> "John" == John Doe <[EMAIL PROTECTED]> writes:
>
> John> Imagine the above tainted() without the '#' in the evaled string, and
> $data John> contains 'system ("rm -rf;")':
>
> John> 1. $nada would be executed
> John> 2. the quotes around the evaled string would not be necessary
>
> But this is still broken. Imagine the string containing
>
> "\n system q{rm -rf /};"
> Ooops!
Randal,
Ooops? Shit!
Now you mention it, it's obvious. Sigh, there are so much things on earth that
get only obvious if one has thought about it - and who knows all necessary
things to thinkabout something...
> When *I* was in charge of the camel book (first and second editions),
> such crap would never have remained. {sigh}
Matthew,
One addition to my first answer (to your question about the '#' in the
statement
eval {eval "# $nada"};
):
(under the precondition of the absence of a newline, as Randal pointed out,
which makes the test rather unusable in practice)
The construct does not compile the code in $nada itself at first, it
interpolates "# $nada"; at this point, where the semantics of the resulting
string are still not defined, taintedness is already relevant, because $nada
is used.
And now:
a) $nada tainted: immediatly die() and catch this runtime error by the outer
eval, no compilation of the perl code, independent of comment or not.
b) $nada not tainted: compile the string; this results in a perl comment (and
any syntax error in $nada is irrelevant) [hm, at least in the 1st line]; "run"
the comment (does nothing), so no die() possible, so no runtime error
catchable by the outer eval.
But anyway:
Either you know for sure that input comes from inside the perl code - or, it
comes from outside, or maybe from outside, and then SANITIZE the value(s).
joe
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
