> Thanks for not top-posting and for following E-mail netiquette. See below for
> my response.
Uh, sure. Most people don't get thanked for this, so I'm curious what
prompted that.
> On Sunday 21 Feb 2010 05:01:12 Bryan R Harris wrote:
>>> On Saturday 20 Feb 2010 04:53:18 Bryan R Harris wrote:
>>>> This is unintuitive:
>>>> perl -e 'print "> "; while(<>) {print(( eval $_ )[-1], "\n> ")}'
>>>>
>>>> ... then enter 2*012. It prints "20". 2*12 is obviously 24, but perl's
>>>> interpreting that "012" as octal. We sometimes have our numbers zero
>>>> padded to make the columns line up, they're not octal.
>>>>
>>>> Is there any way to keep perl's eval from interpreting numbers starting
>>>> with "0" as octal?
>>>
>>> No, there isn't. But why are you writing a custom calculator using eval?
>>> A user may enter something like << system('rm -fr $HOME'); >> and get
>>> his home directory deleted. And other stuff like that.
>>
>> Because this isn't a web app, it's a script on a shared drive. If the
>> users wanted to do that, they could just type that command at the
>> terminal.
>
> I see. However, they may come to trust it as a calculator and not be aware of
> such problems with its evaluation. So for example, they can set up a script to
> process E-mails, and then some malicious correspondent will trick them.
Perhaps, but in this case I *really* doubt it. This tool is a custom
calculator for our small team of analysts so they can easily do calculations
without having to look up formulas, e.g. at 20ft altitude how far away is
the horizon. That kind of thing. My script has ~30 different functions
that the analyst can use, and it's been one of my most popular scripts.
This particular problem has bit us, though, and I'm trying to fix it.
>>> If you're interested in writing a calculator or a different interpreter
>>> the look at parser-generator modules:
>>>
>>> http://www.nntp.perl.org/group/perl.module-authors/2009/09/msg7844.html
>>
>> Wow, I'm not even sure how that discussion connects to my situation -- I
>> don't recognize enough of the words to make the connection (this is a
>> beginners list, remember? =)
>
> OK, let me explain. Let's suppose you want to evaluate mathematical
> expressions and let's suppose you didn't have eval "" or would rather not use
> it (from the reasons I mentioned and others). So you need to turn this
> expression:
>
> 5+6*3
>
> Into a tree of tokens like the following:
>
> [+] ------> 5
> |
> ----> [*] ---> 6
> |
> ------> 3
>
> Then you can easily evaluate this tree and find the final expression. So you
> need to write a *parser* for that:
>
> http://en.wikipedia.org/wiki/Parsing
>
> What a parser generator gives you is a parser for a certain given, mostly
> arbitrary, grammar (expressed as a
> http://en.wikipedia.org/wiki/Formal_language ) . So you can use it. And you
> can define this grammar to treat leading zeros as decimal or anything else you
> want, and you don't need to use eval "" which will allow inputting and
> executing any given arbitrary Perl command.
That's cool, I remember learning about some of that in high school
programming. Does it get more complicated if the user is allowed to enter
things like '5**1.5+6*rss(7,12,18)/ah(27,"alt")'?
If I understand right, if I built a parser/generator I'd stand to gain (a)
security against malicious inputs, (b) robustness against leading zeros, and
(c) experience. I think I could get (b) with a simple regex, I'll think
some more about whether the effort there would be worth the potential gain.
Thanks!
- Bryan
--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/
