Questions about this topic? Sign up to ask in the talk tab.

Unsafe evaluation

From NetSec
Revision as of 12:09, 2 December 2012 by JtRIPper (Talk | contribs) (Created page with " Unsafe evaluation Proof of concept: It is never safe to eval() user input, plain and simple. There is always another way to skin the cat; try and consider that...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
   Unsafe evaluation
     Proof of concept:
       It is never safe to eval() user input, plain and simple.  There is always another way to skin the cat; try and consider that!
     
     Mitigation:
       Design around combining the function "eval" with user input.
     
     Auditing:
       IGNORECASE=1 find -regextype posix-awk -regex ".*\.(rb|php|pl|py|pm)" -exec grep -HnC2 \\beval\( '{}' \;
Retrieved from "http://nets.ec/index.php?title=Unsafe_evaluation&oldid=10668"