xeval
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | xeval [2010/05/12 22:25] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ======Synopsis: | ||
+ | [[xeval]] //[see flags below]// //< | ||
+ | |||
+ | ======Description: | ||
+ | The [[xeval]] command runs the //< | ||
+ | alias expansion again. | ||
+ | |||
+ | **EXTREME CAUTION: THE CARELESS USE OF THIS COMMAND IS THE SOURCE OF AN | ||
+ | INJECTION ATTACK.** | ||
+ | |||
+ | =====Safe uses:===== | ||
+ | - At the input prompt, when you want to use a variable value | ||
+ | - When you have stored trusted code, in a variable and you want to run it | ||
+ | - When you have surrounded //< | ||
+ | |||
+ | **IT IS NEVER A SAFE USE OF XEVAL TO EXPAND A VARIABLE TWICE.** | ||
+ | This can't be stressed strongly enough. | ||
+ | |||
+ | ====At the input line==== | ||
+ | Let's say you have a variable whose value you want to pass to a command. | ||
+ | Ordinarily you can't do that because the input line is handled literally | ||
+ | and your $'s don't expand. | ||
+ | at the input line. | ||
+ | |||
+ | ===Example of expanding variables at the input line:=== | ||
+ | /assign myvar isn't this neat? | ||
+ | /xeval say This string contains a variable which will expand -> $myvar | ||
+ | |||
+ | ====When you have code stored in a variable==== | ||
+ | According to the language syntax, after a statement is removed from a block, | ||
+ | it is subject to $ expansion and then executed. | ||
+ | that are part of the syntax (such as ";" | ||
+ | act as statement separators. | ||
+ | |||
+ | ====Example of converting strings into code:==== | ||
+ | @ mycode = 'echo hi there!;join #epic' | ||
+ | xeval -- $mycode | ||
+ | |||
+ | ====When you have surrounded block with curly braces==== | ||
+ | When dealing with untrusted strings, you want to make sure they don't get | ||
+ | parsed as statements. | ||
+ | so if you wrap //< | ||
+ | treated as code: | ||
+ | |||
+ | ===Example of using curly braces to prevent untrusted strings:=== | ||
+ | on msg * {xeval -w MsgWin {echo $*}} | ||
+ | |||
+ | =====Unsafe uses:===== | ||
+ | - To double-expand a variable | ||
+ | - When used with any string you received anywhere but the user | ||
+ | |||
+ | ====Examples of unsafe uses:==== | ||
+ | ===Double expanding a variable=== | ||
+ | @ foo = ' | ||
+ | @ bar = ' | ||
+ | xeval echo $foo | ||
+ | |||
+ | That doesn' | ||
+ | |||
+ | @ bar = ' | ||
+ | |||
+ | That leads to: | ||
+ | |||
+ | xeval echo testing; | ||
+ | |||
+ | If you want to double expand a variable or string, use the %%**%% operator | ||
+ | |||
+ | echo ${**foo} | ||
+ | |||
+ | |||
+ | ====When used on any unsafe string==== | ||
+ | An unsafe string is any string received from anywhere except the user at | ||
+ | the input line or from the file that the user [[load]]ed. | ||
+ | any string received from irc. | ||
+ | |||
+ | on msg * {xeval -w MsgWin xecho -b Msg from $*} | ||
+ | |||
+ | This is an injection attack because if msg you " | ||
+ | then the above command becomes: | ||
+ | |||
+ | xeval -w MsgWin echo testing; | ||
+ | |||
+ | Whenever you are dealing with an untrusted string, always wrap the command | ||
+ | in curly braces when using [[xeval]]. | ||
+ | as: | ||
+ | |||
+ | on msg * {xeval -w MsgWin {xecho -b Msg from $*}} | ||
+ | |||
+ | ======Options: | ||
+ | | -server <server desc> | Change from_server to the given server. | | ||
+ | | -window <window desc> | Change current_window to the given window. | | ||
+ | | -noisy | ||
+ | | -- | (Two dashes) End option processing. | ||
+ | |||
+ | It's possible to set //-server// and //-window// independantly of each | ||
+ | other, which allows you to do crazy things like setting the current window | ||
+ | to a window whose server is not the same as // | ||
+ | to always set them both, and to ensure that the //-server// is set to the | ||
+ | server that //-window// belongs to. | ||
+ | |||
+ | The original server and window settings are restored before returning, so | ||
+ | [[xeval]]ing a command that changes the current window or server will appear | ||
+ | to have no effect. | ||
+ | |||
xeval.txt · Last modified: 2010/05/12 22:25 by 127.0.0.1