Re: [mp1] "Safe" segfaults with mp1

[Stas Bekman]

Joel Palmius wrote:
Ah, well, after a five hours of experimentation I thought up a working
workaround anyway.
This works with an unpatched version of mp1 ($substr is any perl code 
fetched from external source):

      my(@ops) = split(/\x0a/,$substr);
      my($cell,$reval);
      foreach $cell (@ops)
      {
        $cell =~ s/^[\x09\ ]+//g;
        $cell =~ s/^print\ /\$output\ \.\=\ /;
        if($cell)
        {
          $reval .= $cell . "\n";
        }
      }
      my($output);

      $reval .= "\$output;\n";

      my($compartment) = new Safe("Tempo");
      $compartment->permit(qw(:browse));
      $output = $compartment->reval($reval);
      if($@)
      {
        $self->{ERROR} = gettext("Security exception: " . $@);
        $self->{ERRORCODE} = 99;
      }
      print $output;

I just replace all print statements with "$output .= ", and then make 
sure that the reval results in the final contents of $output, which I then 
print outside the reval().

Works fine now. So far nothing else has crashed, although I'm somewhat
suspicious of a number of rather random events in the code. I'm almost
certain this is me having messed up something else though.
Neat. I expect it to work as long as you do simple things, it's going to be 
much harder to make it working with more complex code. However I was trying to 
simplify your logic and use IO::String to catch the output:

  print "Content-type: text/plain\n\n";
  use warnings;
  use strict;
  use Safe;

  our $output = '';
  my($cmpt) = new Safe 'MyRoot';
  $cmpt->share('$output');
  $cmpt->permit(qw(leaveeval entereval caller require :browse ));
  $cmpt->reval(<<'EOI');

  # redirect prints to a buffer
  use IO::String;
  my $str_fh = IO::String->new($output);
  select $str_fh;
  # put the normal code here
  print "gnu\n";
EOI
  if($@)
  {
    die $@;
  }
  select STDOUT;
  print $output;

However, if I'm not supposed to use Safe in conjunction with mp, what *am* 
I supposed to use? 
I didn't say that. I just said that if it doesn't work for you... but as you 
have just shown that TIMTOWTDI ;)

I might be possible to convince to write a version of Safe specifically
for mp1, although I expect I shall have to experience more problems with
the existing Safe code to be bothered. :-)
You can always give it a try.

__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com