Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Re^3: hex numbers

by haukex (Archbishop)
on Jan 14, 2021 at 18:17 UTC ( [id://11126923]=note: print w/replies, xml ) Need Help??


in reply to Re^2: hex numbers
in thread hex numbers

It is not unsafe.

davido didn't say that: "This works but is NOT recommended, and can be unsafe", and at least to me it's obvious that this refers to what you said:

it can be unsafe if used upon strings of dubious provenience

If one is doing eval, one is usually using it on strings based on user input or dynamically generated strings, otherwise one wouldn't have to eval in the first place!

Stringy eval is one of those "only do this if you really know what you are doing" type of things, so while your clarification certainly isn't wrong, I also think warning against it is absolutely the right thing.

Replies are listed 'Best First'.
Re^4: hex numbers
by shmem (Chancellor) on Jan 14, 2021 at 18:36 UTC
    davido didn't say that: "This works but is NOT recommended, and can be unsafe", and at least to me it's obvious that this refers to what you said

    Using string eval on a proper hex string constant can not be unsafe. While warning aubout string eval composed of user input or some such is appropriate, it is not for this construct. Warnings should be correct. Saying to a girl "if you kiss that boy you'll get pregnant!" is, albeit often turning out true in the long run, incorrect and misleading. Hence my comment.

    perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'
[reply]
      And of course code which assumes that the string can only ever contain hex digits is an exploit waiting to happen.

      Dave.

[reply]

        That is what regular expressions are for:

        local $_ = <STDIN>; chomp;
my $hexnum = undef;
$hexnum = eval "0x$1" if (m/^(?:0[xX])?([[:xdigit:]]+)$/);
die "bad input" unless defined $hexnum;

        [download]

        Do not assume that the input meets your constraints — verify that the input meets your constraints! :-)

[reply]
[d/l]
        And of course code which assumes that the string can only ever contain hex digits is an exploit waiting to happen.

        Code which doesn't assume the type of content of a variable but contains a string constant is only exploitable by editing the source file and munging the constant.

        See my answer to davido below.

        perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'
[reply]
      Using string eval on a proper hex string constant can not be unsafe.

      Of course not, but again, it is a matter of how likely it is the OP is doing that vs. the string coming from outside the program.

      While warning aubout string eval composed of user input or some such is appropriate, it is not for this construct.

      Your interpretation of "This works but is NOT recommended, and can be unsafe" is very different from mine, but I've already explained myself.

      Warnings should be correct. Saying to a girl "if you kiss that boy you'll get pregnant!" is, albeit often turning out true in the long run, incorrect and misleading.

      I don't agree with that comparison; I personally think stringy eval is dangerous enough to compare it to unprotected sex instead of kissing, in which case your post is the one that is misleading. But this moving into the area of opinions, which we could argue about all day. I did say that your clarification of the warning is a good thing, I just personally wouldn't have worded it as strongly as you did.

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://11126923]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others exploiting the Monastery: (4)
As of 2024-04-25 23:55 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found