eval
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
| — | eval [2007/02/12 22:51] (current) – created - external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ======Synopsis: | ||
| + | [[eval]] //< | ||
| + | |||
| + | ======Description: | ||
| + | [[Eval]] treats its arguments as a [[block statement|ircii_syntax]] and | ||
| + | executes it. Generally the only place you need to use [[eval]] is at the | ||
| + | input prompt. | ||
| + | as command statements that already expanded; | ||
| + | in your statement and have them substituted, | ||
| + | any way to do that. But the [[eval]] command provides for this. | ||
| + | |||
| + | This is the reason why using [[eval]] in a script is so dangerous. | ||
| + | command statements are expanded before the command is executed, it is | ||
| + | possible for dangerous text to be included in the argument list. You must | ||
| + | never pass to [[eval]] anything that contains text from an untrusted | ||
| + | source (ie, from the server) | ||
| + | |||
| + | But for a more concrete example, [[eval]] allows you to indirectly reference | ||
| + | variables, but only if you're careful about it: | ||
| + | |||
| + | if (1) { | ||
| + | @ variable = 'this is some text'; | ||
| + | @ indirect = ' | ||
| + | echo $indirect; | ||
| + | eval echo $indirect | ||
| + | }; | ||
| + | |||
| + | The output of these two echos are: | ||
| + | |||
| + | $variable | ||
| + | this is some text | ||
| + | |||
| + | Why does this work? Because ircII expands $'s in the command and then splits | ||
| + | it into a command and an argument: | ||
| + | |||
| + | eval echo $indirect | ||
| + | |||
| + | expands to: | ||
| + | |||
| + | eval echo $variable | ||
| + | |||
| + | and the [[eval]] command expands the arguments, and runs them: | ||
| + | |||
| + | " | ||
| + | |||
| + | becomes | ||
| + | |||
| + | " | ||
| + | |||
| + | and this results in the second line of output. | ||
| + | about this, because if you [[eval]] a string that comes from an untrusted | ||
| + | source, someone could take over your client. | ||
| + | |||
| + | on public * {eval echo $*} | ||
| + | |||
| + | Now consider if someone says "hi there!;exec rm -rf ~" | ||
| + | |||
| + | "eval echo $*" | ||
| + | |||
| + | becomes | ||
| + | |||
| + | "eval echo hi there!;exec rm -rf ~" | ||
| + | |||
| + | which becomes | ||
| + | |||
| + | " | ||
| + | |||
| + | If this occurs, epic will dutifully remove all your files. | ||
| + | Do not use [[eval]] without a very good reason! | ||
| + | |||
| + | ======History: | ||
| + | |||
eval.txt · Last modified: 2007/02/12 22:51 by 127.0.0.1