use Safe;

da w00t has asked for the wisdom of the Perl Monks concerning the following question:

I'm trying to figure out exactly what opcode gives you the functionality to do quoted string interpretation, eg when you set $foo='FOO!'; and then print "$foo"; -- what changes "$foo" into 'FOO!'. So, I threw together this script... and it ain't workin. Anyone have any experience with the safe module and Text::Template?

#!/usr/bin/perl
use Opcode;
use Text::Template;
use Safe;
my @names = Opcode::opset_to_ops(Opcode::full_opset);

foreach my $name (@names)
{
  my (@feh);
  my ($cmptmt);
  undef $cmptmt;
  print "trying name $name..\t\t";
  $cmptmt = new Safe;
  push @feh,$name;
  $cmptmt->permit_only(@feh);
  $Journal::true = 10;
  my $template_text = '{$true}';
  my $template = new Text::Template (TYPE   => 'STRING',
                                     SOURCE => $template_text,
                                     SAFE   => $cmptmt);
  my $return_text = $template->fill_in(PACKAGE => Journal);
  if ($return_text eq "10")
  {
    print "return text is ok... ";
  $cmptmt1 = new Safe;
  $cmptmt1->permit_only(@feh);

    my $template_text1 = '{open(PASSWD,"/etc/passwd");read(PASSWD,$_,1
+,0);print}';
    $template1 = new Text::Template (TYPE   => 'STRING',
                                    SOURCE => $template_text1,
                                    SAFE   => $cmptmt1);
    if ($return_text1 = $template1->fill_in(PACKAGE => Journal) == 1)
    { print "Um, ok?\n"; }
    else
    { print "Bad!!\n"; }
  }
}
[download]

Comment on use Safe; Download Code

Replies are listed 'Best First'.
Re: use Safe; by ColtsFoot (Chaplain) on May 07, 2001 at 14:02 UTC
Sorry but could you explain what you mean by not working When I run your script I get the following output. trying name null.. return text is ok... Um, ok? trying name stub.. return text is ok... Um, ok? trying name scalar.. return text is ok... Um, ok? trying name pushmark.. return text is ok... Um, ok? trying name wantarray.. return text is ok... Um, ok? trying name const.. return text is ok... Um, ok? trying name gvsv.. return text is ok... Um, ok? trying name gv.. return text is ok... Um, ok? trying name gelem.. return text is ok... Um, ok? trying name padsv.. return text is ok... Um, ok? ..... ..... Many more line of a similar format ..... trying name getlogin.. return text is ok... Um, ok? trying name syscall.. return text is ok... Um, ok? trying name lock.. return text is ok... Um, ok? trying name threadsv.. return text is ok... Um, ok? trying name setstate.. return text is ok... Um, ok? trying name method_named.. return text is ok... Um, ok? [download]	[reply] [d/l]
(tye)Re: use Safe; by tye (Sage) on May 07, 2001 at 20:38 UTC
The code `print "trying $name...";` gets compiled into the code `print "trying ".$name."...";`. Does that help you understand? - tye (but my friends call me "Tye")	[reply] [d/l] [select]
Re: use Safe; by da w00t (Sexton) on May 08, 2001 at 03:17 UTC
Basically-- the code in `$template_text1` should not be allowed to run inside a `Safe` compartment unless the specific perl opcodes are allowed. When I get the output `trying name null.. return text is ok... Um, ok?` that's supposed to mean that A), `$template_text` was template parsed into 1, therefore working correctly, and B), `$template_text1` also ran just fine. I'm assuming that when I `$cmptmt->permit_only("wantarray")` that an open, read, and print call would fail. They're not. That's my problem.	[reply] [d/l] [select]


Perl-Sensitive Sunglasses
	PerlMonks