Hi Bryan.
On Sunday 21 Feb 2010 18:11:26 Bryan R Harris wrote:
> > Thanks for not top-posting and for following E-mail netiquette. See below
> > for my response.
>
> Uh, sure. Most people don't get thanked for this, so I'm curious what
> prompted that.
Just giving positive feedback, to encourage you and others to follow suit. Or
as we say in Israel - "Qabbel Cheith-Cheith!" (= Get a positive
encouragement).
>
> > On Sunday 21 Feb 2010 05:01:12 Bryan R Harris wrote:
> >>> On Saturday 20 Feb 2010 04:53:18 Bryan R Harris wrote:
> >>>> This is unintuitive:
> >>>> perl -e 'print "> "; while(<>) {print(( eval $_ )[-1], "\n> ")}'
> >>>>
> >>>> ... then enter 2*012. It prints "20". 2*12 is obviously 24, but
> >>>> perl's interpreting that "012" as octal. We sometimes have our
> >>>> numbers zero padded to make the columns line up, they're not octal.
> >>>>
> >>>> Is there any way to keep perl's eval from interpreting numbers
> >>>> starting with "0" as octal?
> >>>
> >>> No, there isn't. But why are you writing a custom calculator using
> >>> eval? A user may enter something like << system('rm -fr $HOME'); >>
> >>> and get his home directory deleted. And other stuff like that.
> >>
> >> Because this isn't a web app, it's a script on a shared drive. If the
> >> users wanted to do that, they could just type that command at the
> >> terminal.
> >
> > I see. However, they may come to trust it as a calculator and not be
> > aware of such problems with its evaluation. So for example, they can set
> > up a script to process E-mails, and then some malicious correspondent
> > will trick them.
>
> Perhaps, but in this case I *really* doubt it. This tool is a custom
> calculator for our small team of analysts so they can easily do
> calculations without having to look up formulas, e.g. at 20ft altitude how
> far away is the horizon. That kind of thing. My script has ~30 different
> functions that the analyst can use, and it's been one of my most popular
> scripts. This particular problem has bit us, though, and I'm trying to fix
> it.
OK.
>
> >>> If you're interested in writing a calculator or a different interpreter
> >>> the look at parser-generator modules:
> >>>
> >>> http://www.nntp.perl.org/group/perl.module-authors/2009/09/msg7844.html
> >>
> >> Wow, I'm not even sure how that discussion connects to my situation -- I
> >> don't recognize enough of the words to make the connection (this is a
> >> beginners list, remember? =)
> >
> > OK, let me explain. Let's suppose you want to evaluate mathematical
> > expressions and let's suppose you didn't have eval "" or would rather not
> > use it (from the reasons I mentioned and others). So you need to turn
> > this expression:
> >
> > 5+6*3
> >
> > Into a tree of tokens like the following:
> >
> > [+] ------> 5
> >
> > ----> [*] ---> 6
> >
> > ------> 3
> >
> > Then you can easily evaluate this tree and find the final expression. So
> > you need to write a *parser* for that:
> >
> > http://en.wikipedia.org/wiki/Parsing
> >
> > What a parser generator gives you is a parser for a certain given, mostly
> > arbitrary, grammar (expressed as a
> > http://en.wikipedia.org/wiki/Formal_language ) . So you can use it. And
> > you can define this grammar to treat leading zeros as decimal or
> > anything else you want, and you don't need to use eval "" which will
> > allow inputting and executing any given arbitrary Perl command.
>
> That's cool, I remember learning about some of that in high school
> programming. Does it get more complicated if the user is allowed to enter
> things like '5**1.5+6*rss(7,12,18)/ah(27,"alt")'?
Not by much. You can easily parse such an expression using any half-decent
parser generator.
>
> If I understand right, if I built a parser/generator
You shouldn't build a parser generator. You should use a parser generator
(such as the ones I mentioned on the thread) to generate a parser for a
grammar that you define for it and then make use of the new code.
> I'd stand to gain (a)
> security against malicious inputs, (b) robustness against leading zeros,
> and (c) experience.
Right. Your grammar can also later deviate from what Perl 5 constrains you to
(or restrict additional things). And you can also later implement this in a
different language than Perl 5 without needing to incorporate the entire Perl
5 syntax inside.
> I think I could get (b) with a simple regex, I'll
> think some more about whether the effort there would be worth the
> potential gain.
Such a simple regex would be hard to get right. What if you have an expression
such as:
{{{
"Let's count -up - 01234 - " . "Hello";
}}}
If you strip leading zeros from everything that looks like an integer it will
temper with the string. It's an option naturally, but your code may break
eventually.
>
> Thanks!
>
You're welcome.
Regards,
Shlomi Fish
--
-----------------------------------------------------------------
Shlomi Fish http://www.shlomifish.org/
Interview with Ben Collins-Sussman - http://shlom.in/sussman
Deletionists delete Wikipedia articles that they consider lame.
Chuck Norris deletes deletionists whom he considers lame.
Please reply to list if it's a mailing list post - http://shlom.in/reply .
--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/
