On Tue, Jun 10, 2014 at 09:26:17AM +0100, Andrew Beverley wrote: > On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote: > > > # Sanitise > > > $_ = $code; > > > return unless /^[ \S]+$/; # Only allow normal spaces > > > return if /[\[\]]+/; # No brackets should remain > > > return if /\\/; # No escapes please > > > s/"[^"]+"//g; # Remove quoted strings > > > m!^([-()*+/0-9<> ]|&&|eq)+$! or return; # Allowed expression chars > > > > > > So, you excluding having any alpha char (except 'eq') in the resulting > > expression? Because that's what the last line does. Perhaps that's your > > intention, because I've no idea what $value is going to be, other than > > "it could be a string in quotes". > > Yes, $value is either an integer or a string in quotes. The 2 lines > previous to the last line should remove any string in quotes, therefore > just leaving operators and integers?
So, your loop replaces [$var] with a string in quotes, only for s/"[^"]+"//g; to remove it? I'm a bit confused what purpose that serves. > > Now, if you do allow for alpha characters to be present, you have to make > > sure things like "system qw xrm -rf foox" are filtered out. (As you can see, > > the "remove quoted strings" isn't much of a filter -- q, qq, qw, qx, qr, s, > > m, > > and y can take any delimiter). > > I'm happy to be restrictive to the user, and only allow straightforward > strings in double quotes. So anything else is removed or not allowed, > and the strings in quotes are checked as above. I don't see any check for strings in quotes -- they're removed. Do note though that if a user inputs a string that starts with a ", and doesn't use " elsewhere, the s/"[^"]+"//g; doesn't strip the [$var] replacements, it will keep them as is, stripping the rest. And you'll be left with a single " in the string -- which fails the last test. > I would not be surprised if I've missed something though! Considering that you want to be really restrictive, a parser is going to be quite simple. Why not just write a parser instead of hoping you've catched anything potentially bad? Abigail
