P
Phlip
Rubies:
The user gives me a string, inside user_string.
I set up an object model in memory, and eval(user_string). The user_string
contains code to work that object model.
After the call, I want to call system(cmd), where cmd is untainted and
clean.
Now I want to secure that string, so the user may not put
'system("whatever")' inside that string.
So try this:
user_string = "$SAFE = 1\n" + user_string
eval(user_string)
That fails to defend us from system("whatever"), because "whatever" is seen
as an untainted literal, not a tainted element of the greater string we are
inside of.
Raising $SAFE to 2 throttles the safe system() call after my eval().
How to make this situation safe?
The user gives me a string, inside user_string.
I set up an object model in memory, and eval(user_string). The user_string
contains code to work that object model.
After the call, I want to call system(cmd), where cmd is untainted and
clean.
Now I want to secure that string, so the user may not put
'system("whatever")' inside that string.
So try this:
user_string = "$SAFE = 1\n" + user_string
eval(user_string)
That fails to defend us from system("whatever"), because "whatever" is seen
as an untainted literal, not a tainted element of the greater string we are
inside of.
Raising $SAFE to 2 throttles the safe system() call after my eval().
How to make this situation safe?