On Mon, 2014-06-09 at 11:36 +0100, Andrew Beverley wrote:
Dear all,
I'd like to take a condition specified by a user and use it to perform a
set of tests on a data set. Is there a module to do this?
Thanks for all the replies.
Indeed, I can't trust the user input, but nonetheless I wondered
On Tue, Jun 10, 2014 at 07:10:30AM +0100, Andrew Beverley wrote:
On Mon, 2014-06-09 at 11:36 +0100, Andrew Beverley wrote:
Dear all,
I'd like to take a condition specified by a user and use it to perform a
set of tests on a data set. Is there a module to do this?
Thanks for all the
If you want to be extra careful of user input you may want to look at
Docker. http://www.docker.com/
This should give you the highest level of security against user input.
We are using it to run users untrusted code.
- icydee
On 10 June 2014 08:20, Abigail abig...@abigail.be wrote:
On Tue,
* Andrew Beverley (a...@andybev.com) [140609 10:57]:
I'd like to take a condition specified by a user and use it to perform a
set of tests on a data set. Is there a module to do this?
What about PPI: parse the string as Perl, then walk throught the
result tree to check for unsupported nodes.
--
On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote:
# Sanitise
$_ = $code;
return unless /^[ \S]+$/; # Only allow normal spaces
return if /[\[\]]+/;# No brackets should remain
return if /\\/; # No escapes please
On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote:
# Sanitise
$_ = $code;
return unless /^[ \S]+$/; # Only allow normal spaces
return if /[\[\]]+/;# No brackets should remain
return if /\\/; # No escapes please
On Tue, Jun 10, 2014 at 09:55:40AM +0200, Mark Overmeer wrote:
* Andrew Beverley (a...@andybev.com) [140609 10:57]:
I'd like to take a condition specified by a user and use it to perform a
set of tests on a data set. Is there a module to do this?
What about PPI: parse the string as Perl,
On 10 Jun 2014, at 09:26, Andrew Beverley a...@andybev.com wrote:
I'm happy to be restrictive to the user, and only allow straightforward
strings in double quotes. So anything else is removed or not allowed,
and the strings in quotes are checked as above.
I would not be surprised if I've
On Tue, 2014-06-10 at 10:05 +0100, James Laver wrote:
I was sort of hoping that the not too subtle hints that using eval is a
bad idea would pay off. Apparently not.
D'oh, I thought someone might say that... But it's so easy ;-)
Got the message, will play with a parser.
On Tue, Jun 10, 2014 at 09:26:17AM +0100, Andrew Beverley wrote:
On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote:
# Sanitise
$_ = $code;
return unless /^[ \S]+$/; # Only allow normal spaces
return if /[\[\]]+/;# No brackets should
On Tue, Jun 10, 2014 at 09:36:07AM +0100, Andrew Beverley wrote:
On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote:
# Sanitise
$_ = $code;
return unless /^[ \S]+$/; # Only allow normal spaces
return if /[\[\]]+/;# No brackets should
On Tue, 2014-06-10 at 11:37 +0200, Abigail wrote:
On Tue, Jun 10, 2014 at 09:26:17AM +0100, Andrew Beverley wrote:
On Tue, 2014-06-10 at 09:20 +0200, Abigail wrote:
# Sanitise
$_ = $code;
return unless /^[ \S]+$/; # Only allow normal spaces
return
On Tue, Jun 10, 2014 at 10:35:41AM +0100, Andrew Beverley wrote:
On Tue, 2014-06-10 at 10:05 +0100, James Laver wrote:
I was sort of hoping that the not too subtle hints that using eval is a
bad idea would pay off. Apparently not.
D'oh, I thought someone might say that... But it's so easy
On 10 June 2014 10:35, Andrew Beverley a...@andybev.com wrote:
On Tue, 2014-06-10 at 10:05 +0100, James Laver wrote:
I was sort of hoping that the not too subtle hints that using eval is a
bad idea would pay off. Apparently not.
D'oh, I thought someone might say that... But it's so easy
Can I suggest you consider including some rudimentary idea of cost when
you're deciding whether to allow the query to run or not. Cost could be in
terms of anticipated rows returned and/or total anticipated CPU time.
This could be a slippery slope as to do it well you'd have to start creating
On Tue, 2014-06-10 at 12:23 +0200, Abigail wrote:
Note that all you need is a *validating* parser. You don't have to bother
with building a parse tree, and evaluating the results -- *that* can be
left to Perl.
Ah, okay, thanks.
Here's a pattern that accepts expressions of the form you
On Tue, Jun 10, 2014 at 12:06:21PM +0100, Andrew Beverley wrote:
On Tue, 2014-06-10 at 12:23 +0200, Abigail wrote:
Note that all you need is a *validating* parser. You don't have to bother
with building a parse tree, and evaluating the results -- *that* can be
left to Perl.
Ah, okay,
On Tue, Jun 10, 2014 at 11:59:57AM +0100, Chris Jack wrote:
Can I suggest you consider including some rudimentary idea of cost
when you're deciding whether to allow the query to run or not. Cost
could be in terms of anticipated rows returned and/or total
anticipated CPU time.
Yeah, it shouldn't
On Tue, Jun 10, 2014 at 11:59:57AM +0100, Chris Jack wrote:
Can I suggest you consider including some rudimentary idea of cost when
you're deciding whether to allow the query to run or not. Cost could be in
terms of anticipated rows returned and/or total anticipated CPU time.
See
i can't help but repost this
http://xkcd.com/327/
-- vish
On 10 June 2014 07:26, Roger Bell_West ro...@firedrake.org wrote:
On Tue, Jun 10, 2014 at 11:59:57AM +0100, Chris Jack wrote:
Can I suggest you consider including some rudimentary idea of cost
when you're deciding whether to allow
20 matches
Mail list logo
