From my servers - data From anyone else's - user input
-- Clive Eisen GPG: 75056DD0 > On 30 May 2017, at 18:47, Ruben Safir <ru...@mrbrklyn.com> wrote: > > On Tue, May 30, 2017 at 05:10:17PM +0100, Clive Eisen wrote: >> It is only a security hole if you eval user input. >> > > > What do you call return values from the internet? > >> >> -- >> Clive Eisen >> GPG: 75056DD0 >> >> >> >> >> >> >>> On 30 May 2017, at 17:00, Hiram Gibbard <hgibb...@gmail.com> wrote: >>> >>> I might be hijacking this... Sorry, but...I recently used the Perl eval >>> function to determine if a ldap search returned a error or not. Basically, >>> a user's record has a attribute that points to a assistant, and If that >>> assistant no longer exists the app was throwing a error since it executed a >>> ldap call to that assistant's record. So I used eval to check if the error >>> was returned, and if so, skipped the function where it tied searched the >>> assistant record in ldap. Is this the same eval scenario you described >>> which has a security whole? >>> >>> >>> I was just reading everyone's reply and now I am worried I created a >>> security hole. >>> >>> Thanks >>> >>> On Tue, May 30, 2017 at 10:04 AM, Dirk-Willem van Gulik >>> <di...@webweaving.org <mailto:di...@webweaving.org> >>> <mailto:di...@webweaving.org <mailto:di...@webweaving.org>>> wrote: >>> >>>> On 30 May 2017, at 16:58, p...@cpan.org <mailto:p...@cpan.org> >>>> <mailto:p...@cpan.org <mailto:p...@cpan.org>> wrote: >>>> >>>> On Tuesday 30 May 2017 15:53:13 James Smith wrote: >>>>> String eval should be avoided at all costs [especially if you parse user >>>>> input] - functional eval is different - and is a good model for catching >>>>> errors etc >>>> >>>> Yes, string eval should be avoided in all usage. But this discussion was >>>> about that functional eval. >>> >>> Aye - right you are - apologies for causing confusing and missing the (/{. >>> >>> Dw. >>> >>> >>> >>> -- >>> Hiram Gibbard >>> hgibb...@gmail.com <mailto:hgibb...@gmail.com> <mailto:hgibb...@gmail.com >>> <mailto:hgibb...@gmail.com>> >>> http://hiramgibbard.com <http://hiramgibbard.com/> >>> <http://hiramgibbard.com/ <http://hiramgibbard.com/>> >>> >> > > -- > So many immigrant groups have swept through our town > that Brooklyn, like Atlantis, reaches mythological > proportions in the mind of the world - RI Safir 1998 > http://www.mrbrklyn.com <http://www.mrbrklyn.com/> > > DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 > http://www.nylxs.com <http://www.nylxs.com/> - Leadership Development in Free > Software > http://www2.mrbrklyn.com/resources <http://www2.mrbrklyn.com/resources> - > Unpublished Archive > http://www.coinhangout.com <http://www.coinhangout.com/> - coins! > http://www.brooklyn-living.com <http://www.brooklyn-living.com/> > > Being so tracked is for FARM ANIMALS and and extermination camps, > but incompatible with living as a free human being. -RI Safir 2013
