J
Jamal Hansen
Hi all,
I have a situation where I would like to create a string and
interpolate it later (sample code below). The string will be
interpolated while iterating through a potentially long list of
values. To do this I have set up the string as
astring=3D%q{%{somthing #{foo}}}
and am then using=20
eval (astring)=20
to cause the interpolation to happen. =20
Why? Well one of the variables I want is a block variable and out of
scope outside the block.
Another of the variables that is being interpolated is entered by the
user who I must assume could be malicious. I tried $SAFE=3D1 and then
back to 0 after the iteration, but it caused an error with 'require'.
Well enough talk; how safe is the following code? Assuming that the
input was passed in from the web rather than a gets. Also, is there a
better way of doing something like this? Thanks in advance for your
input. -Jamal
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
class Foozle
def foo
# a hash to iterate through
ahash=3D{ :a =3D> 'This', :b =3D> 'That', :c =3D> 'The other'}
=09=09
# get some value from user
print 'value:'
user_input=3Dgets.chomp
=09=09
# our string to interpolate
output=3D%q{%{#{v} asks, "Is user input '#{user_input}' safe for
any user input when $SAFE=3D=3D0?"\n}}
=09=09
# ...and pow!
ahash.each { | k, v | puts eval(output) }
end
end
inst=3DFoozle.new
inst.foo
I have a situation where I would like to create a string and
interpolate it later (sample code below). The string will be
interpolated while iterating through a potentially long list of
values. To do this I have set up the string as
astring=3D%q{%{somthing #{foo}}}
and am then using=20
eval (astring)=20
to cause the interpolation to happen. =20
Why? Well one of the variables I want is a block variable and out of
scope outside the block.
Another of the variables that is being interpolated is entered by the
user who I must assume could be malicious. I tried $SAFE=3D1 and then
back to 0 after the iteration, but it caused an error with 'require'.
Well enough talk; how safe is the following code? Assuming that the
input was passed in from the web rather than a gets. Also, is there a
better way of doing something like this? Thanks in advance for your
input. -Jamal
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
class Foozle
def foo
# a hash to iterate through
ahash=3D{ :a =3D> 'This', :b =3D> 'That', :c =3D> 'The other'}
=09=09
# get some value from user
print 'value:'
user_input=3Dgets.chomp
=09=09
# our string to interpolate
output=3D%q{%{#{v} asks, "Is user input '#{user_input}' safe for
any user input when $SAFE=3D=3D0?"\n}}
=09=09
# ...and pow!
ahash.each { | k, v | puts eval(output) }
end
end
inst=3DFoozle.new
inst.foo