Hi,
is there a way to restrict the set of admissible functions for an eval()
statement to a possibly 'safe' set, excluding all potentially dangerous
functions like 'system', 'open', etc.(like, for instance, in the 'Safe'
module for Perl)?
The background for this question is, that this would be run in a
CGI-environment. The user should be able to input some R-code (a
function assignment), thereafter the code is parsed, evaluated and the
type of function parameters checked by a call to 'formals'
like in:
> expr <- parse(text='foo <- function(x = numeric()){mean(x)}')
> eval(expr[1])
> formals(foo)
$x
numeric()
of course, this is highly dangerous, given this setting, as one could try
> expr <- parse(text='system("ls");
foo <- function(x = numeric()){mean(x)}') # or more evil things
> eval(expr)
I know I could do something like
> system <- function(...) stop ('This is not allowed!')
but it's rather likely to miss one of the 'bad' functions.
Any ideas would be appreciated.
Regards
Michael Dondrup
______________________________________________
R-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
