Re^3: ascii colors from text file

Yeah sure, I agree that eval is always potentially dangerous... I figured this is rather well-known. And, I wasn't trying to spread "great memes" :) Rather, I was simply trying to generically answer the problem of "Normally, I would use a double quoted string in my script... now what do I do to arrive at the same effect when I hold the part in between the quotes literally in a string, like when having read it from a file?" Nowhere in the OP was any mention of other people potentially having control over the input.

Along similar lines you'd have to warn people every time they interpolate some variable into some command like

system "convert $imgname.png $imgname.jpg"
[download]

because, if $imgname could potentially come from an insecure source, they might get into trouble inadvertendly running something like

system "convert ; rm -rf ~/* ;.png ..."
[download]

I'd probably even mention it if the danger is obvious, like someone inexperienced trying to execute code like this in CGI context or some such, but otherwise... should we always warn?

Comment on Re^3: ascii colors from text file Select or Download Code

Replies are listed 'Best First'.

Re^4: ascii colors from text file
by Anno (Deacon) on Mar 02, 2007 at 23:56 UTC

[

]

I'd probably even mention it if the danger is obvious, like someone inexperienced trying to execute code like this in CGI context or some such, but otherwise... should we always warn?

Well, you don't know in what context someone will read your write-up in the future. Even in the given context, I am by no means sure if the original author is aware of the possible risk. She or he accepted the advice rather light-heartedly. I think we should always warn.

Anno

[reply]
[d/l]
[select]


Perl-Sensitive Sunglasses
	PerlMonks