On Tue, 2014-06-10 at 13:43 +0200, Abigail wrote:
I'm going to need to allow strings to be matched. E.g:
[age] 10 [name] eq jon
Allow any string? Including strings that may potentially excute code?
In that case, eval will be wrong. Or is the string just a list of
alphanumerics? In
Roger Bell_West ro...@firedrake.org wrote:
On Tue, Jun 10, 2014 at 11:59:57AM +0100, Chris Jack wrote:
Can I suggest you consider including some rudimentary idea of cost
when you're deciding whether to allow the query to run or not. Cost
could be in terms of anticipated rows returned and/or total
On Mon, 2014-06-09 at 11:36 +0100, Andrew Beverley wrote:
Dear all,
I'd like to take a condition specified by a user and use it to perform a
set of tests on a data set. Is there a module to do this?
Thanks for all the replies.
Indeed, I can't trust the user input, but nonetheless I wondered
On Tue, Jun 10, 2014 at 07:10:30AM +0100, Andrew Beverley wrote:
On Mon, 2014-06-09 at 11:36 +0100, Andrew Beverley wrote:
Dear all,
I'd like to take a condition specified by a user and use it to perform a
set of tests on a data set. Is there a module to do this?
Thanks for all the
If you want to be extra careful of user input you may want to look at
Docker. http://www.docker.com/
This should give you the highest level of security against user input.
We are using it to run users untrusted code.
- icydee
On 10 June 2014 08:20, Abigail abig...@abigail.be wrote:
On Tue,
* Andrew Beverley (a...@andybev.com) [140609 10:57]:
I'd like to take a condition specified by a user and use it to perform a
set of tests on a data set. Is there a module to do this?
What about PPI: parse the string as Perl, then walk throught the
result tree to check for unsupported nodes.
--
On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote:
# Sanitise
$_ = $code;
return unless /^[ \S]+$/; # Only allow normal spaces
return if /[\[\]]+/;# No brackets should remain
return if /\\/; # No escapes please
On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote:
# Sanitise
$_ = $code;
return unless /^[ \S]+$/; # Only allow normal spaces
return if /[\[\]]+/;# No brackets should remain
return if /\\/; # No escapes please
On Tue, Jun 10, 2014 at 09:55:40AM +0200, Mark Overmeer wrote:
* Andrew Beverley (a...@andybev.com) [140609 10:57]:
I'd like to take a condition specified by a user and use it to perform a
set of tests on a data set. Is there a module to do this?
What about PPI: parse the string as Perl,
On 10 Jun 2014, at 09:26, Andrew Beverley a...@andybev.com wrote:
I'm happy to be restrictive to the user, and only allow straightforward
strings in double quotes. So anything else is removed or not allowed,
and the strings in quotes are checked as above.
I would not be surprised if I've
On Tue, 2014-06-10 at 10:05 +0100, James Laver wrote:
I was sort of hoping that the not too subtle hints that using eval is a
bad idea would pay off. Apparently not.
D'oh, I thought someone might say that... But it's so easy ;-)
Got the message, will play with a parser.
On Tue, Jun 10, 2014 at 09:26:17AM +0100, Andrew Beverley wrote:
On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote:
# Sanitise
$_ = $code;
return unless /^[ \S]+$/; # Only allow normal spaces
return if /[\[\]]+/;# No brackets should
On Tue, Jun 10, 2014 at 09:36:07AM +0100, Andrew Beverley wrote:
On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote:
# Sanitise
$_ = $code;
return unless /^[ \S]+$/; # Only allow normal spaces
return if /[\[\]]+/;# No brackets should
On Tue, 2014-06-10 at 11:37 +0200, Abigail wrote:
On Tue, Jun 10, 2014 at 09:26:17AM +0100, Andrew Beverley wrote:
On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote:
# Sanitise
$_ = $code;
return unless /^[ \S]+$/; # Only allow normal spaces
return
On Tue, Jun 10, 2014 at 10:35:41AM +0100, Andrew Beverley wrote:
On Tue, 2014-06-10 at 10:05 +0100, James Laver wrote:
I was sort of hoping that the not too subtle hints that using eval is a
bad idea would pay off. Apparently not.
D'oh, I thought someone might say that... But it's so easy
On 10 June 2014 10:35, Andrew Beverley a...@andybev.com wrote:
On Tue, 2014-06-10 at 10:05 +0100, James Laver wrote:
I was sort of hoping that the not too subtle hints that using eval is a
bad idea would pay off. Apparently not.
D'oh, I thought someone might say that... But it's so easy
Can I suggest you consider including some rudimentary idea of cost when
you're deciding whether to allow the query to run or not. Cost could be in
terms of anticipated rows returned and/or total anticipated CPU time.
This could be a slippery slope as to do it well you'd have to start creating
On Tue, 2014-06-10 at 12:23 +0200, Abigail wrote:
Note that all you need is a *validating* parser. You don't have to bother
with building a parse tree, and evaluating the results -- *that* can be
left to Perl.
Ah, okay, thanks.
Here's a pattern that accepts expressions of the form you
On Tue, Jun 10, 2014 at 12:06:21PM +0100, Andrew Beverley wrote:
On Tue, 2014-06-10 at 12:23 +0200, Abigail wrote:
Note that all you need is a *validating* parser. You don't have to bother
with building a parse tree, and evaluating the results -- *that* can be
left to Perl.
Ah, okay,
On Tue, Jun 10, 2014 at 11:59:57AM +0100, Chris Jack wrote:
Can I suggest you consider including some rudimentary idea of cost
when you're deciding whether to allow the query to run or not. Cost
could be in terms of anticipated rows returned and/or total
anticipated CPU time.
Yeah, it shouldn't
On Tue, Jun 10, 2014 at 11:59:57AM +0100, Chris Jack wrote:
Can I suggest you consider including some rudimentary idea of cost when
you're deciding whether to allow the query to run or not. Cost could be in
terms of anticipated rows returned and/or total anticipated CPU time.
See
i can't help but repost this
http://xkcd.com/327/
-- vish
On 10 June 2014 07:26, Roger Bell_West ro...@firedrake.org wrote:
On Tue, Jun 10, 2014 at 11:59:57AM +0100, Chris Jack wrote:
Can I suggest you consider including some rudimentary idea of cost
when you're deciding whether to allow
Dear all,
I'd like to take a condition specified by a user and use it to perform a
set of tests on a data set. Is there a module to do this?
For example, I might have an array of hashes containing name, price
and age. I would like a user to be able to define their own condition,
such as age 10
On Mon, Jun 09, 2014 at 12:03:13PM +0100, Jason Clifford wrote:
On 2014-06-09 11:36, Andrew Beverley wrote:
Dear all,
I'd like to take a condition specified by a user and use it to perform
a
set of tests on a data set. Is there a module to do this?
For example, I might have an array of
On 9 Jun 2014, at 12:39, Abigail abig...@abigail.be wrote:
In short, Safe.pm may be the answer, but depending on who your users are,
it may be overkill, or still contain too many hooks for an attacker.
In short, if you trust the input, just eval() it, and if you don’t, you want a
parser.
Language::Basic and Language::Basic::Expression look promising (if you
don't particularly want to write your own parser.
https://metacpan.org/pod/Language::Basic::Expression
On 9 June 2014 13:10, James Laver james.la...@gmail.com wrote:
On 9 Jun 2014, at 12:39, Abigail abig...@abigail.be
On Mon, 9 Jun 2014 13:10:35 +0100
James Laver james.la...@gmail.com wrote:
In short, if you trust the input, just eval() it, and if you don’t,
you want a parser.
You might consider transforming it automatically into postfix
notation and building a really simple stack machine if you just
27 matches
Mail list logo
