This shows you the differences between two versions of the page.
— |
eval [2007/02/12 22:51] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ======Synopsis:====== | ||
+ | [[eval]] //<block>// | ||
+ | |||
+ | ======Description:====== | ||
+ | [[Eval]] treats its arguments as a [[block statement|ircii_syntax]] and | ||
+ | executes it. Generally the only place you need to use [[eval]] is at the | ||
+ | input prompt. Normally the commands you type at the input prompt are treated | ||
+ | as command statements that already expanded; If you wish to put $-expandos | ||
+ | in your statement and have them substituted, you would not ordinarily have | ||
+ | any way to do that. But the [[eval]] command provides for this. | ||
+ | |||
+ | This is the reason why using [[eval]] in a script is so dangerous. Because | ||
+ | command statements are expanded before the command is executed, it is | ||
+ | possible for dangerous text to be included in the argument list. You must | ||
+ | never pass to [[eval]] anything that contains text from an untrusted | ||
+ | source (ie, from the server) | ||
+ | |||
+ | But for a more concrete example, [[eval]] allows you to indirectly reference | ||
+ | variables, but only if you're careful about it: | ||
+ | |||
+ | if (1) { | ||
+ | @ variable = 'this is some text'; | ||
+ | @ indirect = '$variable'; | ||
+ | echo $indirect; | ||
+ | eval echo $indirect | ||
+ | }; | ||
+ | |||
+ | The output of these two echos are: | ||
+ | |||
+ | $variable | ||
+ | this is some text | ||
+ | |||
+ | Why does this work? Because ircII expands $'s in the command and then splits | ||
+ | it into a command and an argument: | ||
+ | |||
+ | eval echo $indirect | ||
+ | |||
+ | expands to: | ||
+ | |||
+ | eval echo $variable | ||
+ | |||
+ | and the [[eval]] command expands the arguments, and runs them: | ||
+ | |||
+ | "eval" + "echo $variable" | ||
+ | |||
+ | becomes | ||
+ | |||
+ | "eval" + "echo this is some text" | ||
+ | |||
+ | and this results in the second line of output. You have to be very careful | ||
+ | about this, because if you [[eval]] a string that comes from an untrusted | ||
+ | source, someone could take over your client. Consider this: | ||
+ | |||
+ | on public * {eval echo $*} | ||
+ | |||
+ | Now consider if someone says "hi there!;exec rm -rf ~" | ||
+ | |||
+ | "eval echo $*" | ||
+ | |||
+ | becomes | ||
+ | |||
+ | "eval echo hi there!;exec rm -rf ~" | ||
+ | |||
+ | which becomes | ||
+ | |||
+ | "eval" + "echo hi there!;exec rm -rf ~" | ||
+ | |||
+ | If this occurs, epic will dutifully remove all your files. **BE CAREFUL!** | ||
+ | Do not use [[eval]] without a very good reason! | ||
+ | |||
+ | ======History:====== | ||
+ | |||