Phoenix.pm: writing to packages
David A Sinck
sinck at today.com
Tue May 11 10:17:58 CDT 1999
\_ Just gets really messy. With a sub to create the initial package
\_ and another to create vars in a package I should be able to create
\_ packages on the fly within the main and populate them.
eval &build_package(@args); # ought to do the trick given the right
# &build_package and @args
\_ Actually both. I am really into agents/bots and delving into AI. I
\_ want scripts to be able to find out what other scripts are doing or
\_ what they can do.
Thereby hangs a tale.
\_ If I have an agent mulling around my HD (want to
\_ move it to the web) and it sees a script (doesn't know what it is
\_ yet). I want it to dynamically create a package from that script and
\_ run it contained to see what it does.
Heh. Um, look for Safe or some such, be sure to run with tainting.
\_ Then instruct it to do
\_ something, or modify it to do something. I figured if it sucks the
\_ script into a string, I can push that string into a namespace, parse
\_ it for dangerous commands like:
\_
\_ `cd /`;
\_ `rm -rf *`;
Well, that's nice in theory, but can you get your program to figure
out if this is dangerous?:
*_=\$#;$/=q#(.)#;$#=10;$^X=~s|.*/||;$\=chr;$#=gmtime$#;substr($#,$^F#^F
*$^F**$^F-1)=al;s$\$/( )\$/\$/$e\$2\u\$^X\$2\$3o\$1r$ && print time
*I* say this is safe, because I know what it does, but could a program
decide that it was ok? [Bonus points for those who haven't seen this
before and can figure out what it does w/o interpreter.]
Or what about the standard
$my_rm_cmd = (random($seed)[5,3,2,76]);
which builds a random dicitionary, then derefs the characters in it to
build 'rm -rf /' in a string?
Or what about
system('makenorm -rf $args'); # =~ /rm -rf/
There's a heap of problems associated with determining whether a
program is 'safe' automagically, and the few I've pointed out are just
the tip....
\_ I want it to be able to look inside another script's symbol table and
\_ see what's inside of there. This will give an indication of what the
\_ script does, what modules it's referring to, etc.
You might want to check out the Apache mod_perl stuff for something
similar since everything is in the same name space.
David
More information about the Phoenix-pm
mailing list