..and the fact that it's Friday makes it a good solution too, because it would "suck" if it were just Monday ;-)
Friday Fun with EVAL()
2 views (last 30 days)
Show older comments
I think I may have come across the first time in my >5 years of using MATLAB that I have a case where the best possible answer is to use eval().
Here's the scenario:
I'm working on a test that requires the user to input a string in an edit box. This string needs to create a very specific anonymous function, e.g.:
Create an anonymous function, f, that takes two inputs x,y and runs x^2+y^2+2
Once the anonymous function is created, I can test the correctness using a comparison with the output from functions(f).
How I plan to safe guard against it breaking everything else:
- eval(str) will be inside of a try/catch in case they error.
- I will "pre-regexprep" the string to remove any case where more than two letters are consecutive. This should stop most malicious behavior.
- I will eval(str) inside of a subfunction where no variables being destroyed or created will hurt me.
- I will verify that f exists and that it's a function handle. If it does not exist, I'll pass back a wrong answer so it fails.
Ps. when I say malicious, I just mean someone having fun with this :)
The alternatives I've thought of:
- Use regexp to verify that everything in the string is in the right order. Shortcoming this does not scale well and there are cases where answer is correct but my regular expression misses it such as with unnecessary extra parentheses.
- Write it to a MATLAB file. Run the file. This has no real advantages that I can see...
3 Comments
Answers (3)
Friedrich
on 13 Apr 2013
Edited: Friedrich
on 13 Apr 2013
Hi Sean,
Why using "eval" and not "inline" on the post processed user input string?
3 Comments
Friedrich
on 15 Apr 2013
Edited: Friedrich
on 15 Apr 2013
As long you call eval only once it should be fine with eval. In addition the 13a doc states: "inline will be removed in a future release. Use Anonymous Functions instead."
Which then will lead to eval in order to create dynamically the function handle anyway.
Jan
on 18 Apr 2013
Edited: Jan
on 18 Apr 2013
Make the expression an string and send it by urlwrite to a dedicated problem at Cody. Here Matlab runs in a virtual maschine which is refreshed automatically. They run it under Ubuntu, such that you do not have care about the security leaks in Windows, which would allow to get admin privilegs. Unfortunately Ubuntu is not a tank also, and an evil user could try to embed code to start sendmail.
This would catch evilness of the category 1 to 3:
- typos
- unwanted calls of toolbox functions
- calls of operating system functions like deleting files
This would not catch evilness of category 4:
- psychotic script kids, who really plan to use your program for evil and criminal activities.
My conclusion: It is your intention to evaluate code typed in by the user. Then eval is fine, because this is a dangerous command for a dangerous purpose. If you add 100 REGEXP restrictions, the user simply opens a shell and sends the evil commands directly to the operating system. If the user has physical access to the computer, 100% bullet proof systems are impossible. If you want offer your GUI through a web interface for public access, check your log-files very frequently.
0 Comments
See Also
Products
Community Treasure Hunt
Find the treasures in MATLAB Central and discover how the community can help you!
Start Hunting!
You can also select a web site from the following list
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom(English)
Asia Pacific
- Australia (English)
- India (English)
- New Zealand (English)
- 中国
- 日本Japanese (日本語)
- 한국Korean (한국어)