Phoenix.pm: writing to packages

Shay Harding mekla at geocities.com
Tue May 11 16:49:45 CDT 1999


>\_ Then instruct it to do 
>\_ something, or modify it to do something. I figured if it sucks the 
>\_ script into a string, I can push that string into a namespace, parse 
>\_ it for dangerous commands like:
>\_ 
>\_ `cd /`;
>\_ `rm -rf *`;
>
>Well, that's nice in theory, but can you get your program to figure
>out if this is dangerous?:
>
>*_=\$#;$/=q#(.)#;$#=10;$^X=~s|.*/||;$\=chr;$#=gmtime$#;substr($#,$^F#^F
>*$^F**$^F-1)=al;s$\$/( )\$/\$/$e\$2\u\$^X\$2\$3o\$1r$ && print time
>
>*I* say this is safe, because I know what it does, but could a program
>decide that it was ok?  [Bonus points for those who haven't seen this
>before and can figure out what it does w/o interpreter.]

Herein lies the problem... how to determine what is dangerous. This is all
basically theory and just things I was thinking of. I have no code for any of
this. I mean how do you really find out if something is dangerous. Something as
simple as:

$var = \@{$contents}[0];

          or

$self->{VAR} = \@{$contents}[0];

This could be dangerous depending on what is stored there. There may be
encrypted text in there which can't be recognized until decrypted then analyzed.

Since Perl is so flexible you could build a string from the hex code for the
characters. There are a lot of possibilities and it would take too long to go
through each one for every line of code.


>There's a heap of problems associated with determining whether a
>program is 'safe' automagically, and the few I've pointed out are just
>the tip....

I agree just like there's a heap of problems to try and dynamically parse a web
page for specific data. How do you know where it is, what
format? Could just pattern match but that will more than likely return
undesired data, etc.

This is where it would be nice to have some sort of fuzzy algorithms to
determine, with a degree of accuracy, what is safe, what is closest to the set
of conditions you set. And if it is wrong, it needs to be able to 'remember'
this and not do it again. (It being the agent or bot in question).

These are exactly the sort of things discussed on a perl-ai list I subscribe
to. Lots of questions and few answers.


--

Shay



More information about the Phoenix-pm mailing list