use Safe and CGI;

Banky has asked for the wisdom of the Perl Monks concerning the following question:

I'm trying to create a CGI application that allows users to Safely eval some types of Perl code. Of course I need the Safe module to only allow a small subset of opcodes that are considered safe and useful for this application. Here's a test script I've been writing. It basically goes through and finds what opcodes $line needs to execute. It ex

#!/usr/bin/perl
use Opcode;
use Safe;
my @names = Opcode::opset_to_ops(Opcode::full_opset);
my @neededops;
use CGI;
my $query=CGI::new();
print $query->header();
print "<HTML><BODY>";
foreach $name(@names)
{
   my $cpt;
   $cpt=undef;
   $cpt=new Safe;
   $cpt->share('$name');
   my(@ops)=grep { $_ ne $name} @names;
   $cpt->permit_only(@ops);
   my $line=q{ print "Opcode: $name\n"; };
   $cpt->reval($line); 
   push @neededops, $name if $@;
}

print "<HR>\n\n@neededops\n";
print "</BODY></HTML>";
[download]

It works fine from the command line but when I run it through a browser I get a "The document contains no data" dialog box. If I comment out $cpt->reval($line) this disappears. Any ideas why this might be happening?
Thanks a lot,

Banky

Comment on use Safe and CGI; Download Code

Replies are listed 'Best First'.
Re: use Safe and CGI; by blue_cowdawg (Monsignor) on May 21, 2001 at 23:50 UTC
You might want to use `CGI::Carp qw/fatalsToBrowser/;`The caveat I would give in using that is make sure you remove it before you go production with the code. Breaking your script would give a would be hacker more information about your CGI environment than what might be healthy... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Peter L. Berghold --- Peter@Berghold.Net "Those who fail to learn from history are condemned to repeat it." Edit: chipmunk 2001-05-21	[reply] [d/l]
Re: Re: use Safe and CGI; by Banky (Acolyte) on May 22, 2001 at 07:22 UTC
Thanks for the tip but even when I add that in I get the same error. Anybody got any ideas?	[reply]
Re: use Safe and CGI; by no_slogan (Deacon) on May 21, 2001 at 22:55 UTC
Check your error logs, or `use CGI::Carp qw(fatalsToBrowser)`.	[reply] [d/l]
Re: use Safe and CGI; by Banky (Acolyte) on May 23, 2001 at 07:12 UTC
Tested it on another server and it works fine. Needless to say I'm befuddled but glad it wasn't my program but some outside/unknown factor. I'm still curious as to what that might be though :)	[reply]
Re: use Safe and CGI; by ColtsFoot (Chaplain) on May 22, 2001 at 09:54 UTC
I added a couple of BRs to improve formating and when I I run your script on a Linux box Redhat 6.2, perl 5.004_05 I get the following output `<HTML><BODY>Opcode: null<BR> Opcode: stub<BR> Opcode: scalar<BR> Opcode: wantarray<BR> Opcode: gvsv<BR> Opcode: gv<BR> Opcode: gelem<BR> Opcode: padsv<BR> Opcode: padav<BR> Opcode: padhv<BR> Opcode: padany<BR> Opcode: pushre<BR> Opcode: rv2gv<BR> Opcode: av2arylen<BR> Opcode: rv2cv<BR> ... ... Opcode: syscall<BR> <HR>pushmark<BR> <HR>const<BR> <HR>rv2sv<BR> <HR>concat<BR> <HR>stringify<BR> <HR>print<BR> <HR>leaveeval<BR> </BODY></HTML>` [download] Perhaps you could tell us what output you get when you run your script from the command line and a bit more about your setup	[reply] [d/l]
Re: Re: use Safe and CGI; by Banky (Acolyte) on May 23, 2001 at 02:10 UTC
This is what I get when I run it from the command line: `Content-Type: text/html <HTML><BODY>Opcode: null Opcode: stub Opcode: scalar Opcode: wantarray Opcode: gvsv Opcode: gv Opcode: gelem Opcode: padsv Opcode: padav Opcode: padhv Opcode: padany .... Opcode: sgrent Opcode: egrent Opcode: getlogin Opcode: syscall Opcode: lock Opcode: threadsv <HR> pushmark const rv2sv concat stringify print leaveeval </BODY></HTML>` [download] I'm running perl 5.005_03 and Apache/1.3.9 (Unix) Debian/GNU	[reply] [d/l]
Re: use Safe and CGI; by Anonymous Monk on May 15, 2003 at 02:13 UTC
I suspect it has to do with mod_perl. I tried this one and some of my own scripts which use Safe, and there were troubles when they ran under mod_perl which disappeared when I turned it off with "SetHandler cgi-script" in an .htaccess file. I would be interested if anyone has found out why mod_perl interferes, and if there is a way to make it work under mod_perl, though.	[reply]

Back to Seekers of Perl Wisdom