A collection of anti-Perl quotes, memes and images
Tuesday, 28 May by David Farrell
The Perl eval function will execute any Perl code contained in a string that is passed to it. This article shows how eval can be used to execute Perl code stored in text files.
Let's imagine that we want to execute this Perl statement stored in 'print.txt':
print "it works! \n";
We can write a simple Perl script called 'eval.pl' that will slurp 'print.txt' into a string, and then call eval on the string:
use File::Slurp; use strict; use warnings; my $command = read_file('print.txt'); eval $command;
Now we can run 'eval.pl' to prove it works:
perl eval.pl it works!
When eval is called on a string containing Perl code, the code is executed within a sub lexical scope in main - similar to as if it was written within a block. This makes it possible to declare variables in the main program, and execute them in code contained in text files with eval. Let's update 'print.txt' to print a variable:
And 'eval.pl' to declare $message and set the text to be printed:
use File::Slurp; use strict; use warnings; my $command = read_file('print.txt'); my $message = "We injected this message\n"; eval $command;
Now running the code we can see the injected message is printed:
perl eval.pl We injected this message
Although it is a cool feature, any technique which allows the execution of arbitrary code stored in text files is rife with risk. So exercise the proper caution and checks before employing this method!
Instantly upgrade your web application security with these headers
Learn enough to be dangerous with one of Perl's most powerful features