Security riddle with $SAFE and untainted strings

(Phlip) #1


The user gives me a string, inside user_string.

I set up an object model in memory, and eval(user_string). The user_string
contains code to work that object model.

After the call, I want to call system(cmd), where cmd is untainted and

Now I want to secure that string, so the user may not put
'system("whatever")' inside that string.

So try this:

    user_string = "$SAFE = 1\n" + user_string

That fails to defend us from system("whatever"), because "whatever" is seen
as an untainted literal, not a tainted element of the greater string we are
inside of.

Raising $SAFE to 2 throttles the safe system() call after my eval().

How to make this situation safe?


  Phlip <-- NOT a blog!!!