Phoenix.pm: writing to packages

David A Sinck sinck at today.com
Tue May 11 10:17:58 CDT 1999 

\_ Just gets really messy. With a sub to create the initial package 
\_ and another to create vars in a package I should be able to create 
\_ packages on the fly within the main and populate them.

eval &build_package(@args);  # ought to do the trick given the right
			     # &build_package and @args

\_ Actually both. I am really into agents/bots and delving into AI. I 
\_ want scripts to be able to find out what other scripts are doing or 
\_ what they can do. 
Thereby hangs a tale.

\_ If I have an agent mulling around my HD (want to 
\_ move it to the web) and it sees a script (doesn't know what it is 
\_ yet). I want it to dynamically create a package from that script and 
\_ run it contained to see what it does. 

Heh.  Um, look for Safe or some such, be sure to run with tainting.

\_ Then instruct it to do 
\_ something, or modify it to do something. I figured if it sucks the 
\_ script into a string, I can push that string into a namespace, parse 
\_ it for dangerous commands like:
\_ 
\_ `cd /`;
\_ `rm -rf *`;

Well, that's nice in theory, but can you get your program to figure
out if this is dangerous?:

*_=\$#;$/=q#(.)#;$#=10;$^X=~s|.*/||;$\=chr;$#=gmtime$#;substr($#,$^F#^F
*$^F**$^F-1)=al;s$\$/( )\$/\$/$e\$2\u\$^X\$2\$3o\$1r$ && print time

*I* say this is safe, because I know what it does, but could a program
decide that it was ok?  [Bonus points for those who haven't seen this
before and can figure out what it does w/o interpreter.]

Or what about the standard

$my_rm_cmd = (random($seed)[5,3,2,76]); 

which builds a random dicitionary, then derefs the characters in it to
build 'rm -rf /' in a string?

Or what about

system('makenorm -rf $args');  # =~ /rm -rf/


There's a heap of problems associated with determining whether a
program is 'safe' automagically, and the few I've pointed out are just
the tip....

\_ I want it to be able to look inside another script's symbol table and 
\_ see what's inside of there. This will give an indication of what the 
\_ script does, what modules it's referring to, etc.

You might want to check out the Apache mod_perl stuff for something
similar since everything is in the same name space.

David

More information about the Phoenix-pm mailing list