Evaluating perl code (e.g. via ``eval'' or ``do 'file''') causes the code to be compiled into an internal format and then, provided there was no error in the compilation, executed. The internal format is based on many distinct opcodes.
By default no opmask is in effect and any code can be compiled.
The Opcode module allow you to define an operator mask to be in effect when perl next compiles any code. Attempting to compile code which contains a masked opcode will cause the compilation to fail with an error. The code will not be executed.
Bugs in the perl interpreter that could be abused to bypass Opcode restrictions are not treated as vulnerabilities. See perlsecpolicy for additional information.
The authors make no warranty, implied or otherwise, about the suitability of this software for safety or security purposes.
The authors shall not in any case be liable for special, incidental, consequential, indirect or other similar damages arising from the use of this software.
Your mileage will vary. If in any doubt do not use it.
Each operator has both a terse name (its opname) and a more verbose or recognisable descriptive name. The opdesc function can be used to return a list of descriptions for a list of operators.
Many of the functions and methods listed below take a list of operators as parameters. Most operator lists can be made up of several types of element. Each element can be one of
The opset and opset_to_ops functions can be used to convert from a list of operators to an opset and vice versa.
Wherever a list of operators can be given you can use one or more opsets. See also Manipulating Opsets below.
In a list context it returns a list of all the operator names. (Not yet implemented, use @names = opset_to_ops(full_opset).)
Most of the other Opcode functions call verify_opset automatically and will croak if given an invalid opset.
The optag name used must not be defined already (define_optag will croak if it is already defined). Optag names are global to the perl process and optag definitions cannot be altered or deleted once defined.
It is strongly recommended that applications using Opcode should use a leading capital letter on their tag names since lowercase names are reserved for use by the Opcode module. If using Opcode within a module you should prefix your tags names with the name of your module to ensure uniqueness and thus avoid clashes with other modules.
It's designed to be used as a handy command line utility:
perl -MOpcode=opdump -e opdump perl -MOpcode=opdump -e 'opdump Eval'
However you should never rely on the numerical position of any opcode within the opset. In other words both sides of a bit vector operator should be opsets returned from Opcode functions.
Also, since the number of opcodes in your current version of perl might not be an exact multiple of eight, there may be unused bits in the last byte of an upset. This should not cause any problems (Opcode functions ignore those extra bits) but it does mean that using the ~ operator will typically not produce the same 'physical' opset 'string' as the invert_opset function.
$bool = opset_eq($opset1, $opset2) true if opsets are logically equivalent $yes = opset_can($opset, @ops) true if $opset has all @ops set @diff = opset_diff($opset1, $opset2) => ('foo', '!bar', ...)
null stub scalar pushmark wantarray const defined undef rv2sv sassign rv2av aassign aelem aelemfast aelemfast_lex aslice kvaslice av2arylen rv2hv helem hslice kvhslice each values keys exists delete aeach akeys avalues multideref argelem argdefelem argcheck preinc i_preinc predec i_predec postinc i_postinc postdec i_postdec int hex oct abs pow multiply i_multiply divide i_divide modulo i_modulo add i_add subtract i_subtract left_shift right_shift bit_and bit_xor bit_or nbit_and nbit_xor nbit_or sbit_and sbit_xor sbit_or negate i_negate not complement ncomplement scomplement lt i_lt gt i_gt le i_le ge i_ge eq i_eq ne i_ne ncmp i_ncmp slt sgt sle sge seq sne scmp isa substr vec stringify study pos length index rindex ord chr ucfirst lcfirst uc lc fc quotemeta trans transr chop schop chomp schomp match split qr list lslice splice push pop shift unshift reverse cond_expr flip flop andassign orassign dorassign and or dor xor warn die lineseq nextstate scope enter leave rv2cv anoncode prototype coreargs avhvswitch anonconst entersub leavesub leavesublv return method method_named method_super method_redir method_redir_super -- XXX loops via recursion? cmpchain_and cmpchain_dup leaveeval -- needed for Safe to operate, is safe without entereval
concat multiconcat repeat join range anonlist anonhash
Note that despite the existence of this optag a memory resource attack may still be possible using only :base_core ops.
Disabling these ops is a very heavy handed way to attempt to prevent a memory resource attack. It's probable that a specific memory limit mechanism will be added to perl in the near future.
grepstart grepwhile mapstart mapwhile enteriter iter enterloop leaveloop unstack last next redo goto
readline rcatline getc read formline enterwrite leavewrite print say sysread syswrite send recv eof tell seek sysseek readdir telldir seekdir rewinddir
gvsv gv gelem padsv padav padhv padcv padany padrange introcv clonecv once rv2gv refgen srefgen ref refassign lvref lvrefslice lvavref bless -- could be used to change ownership of objects (reblessing) regcmaybe regcreset regcomp subst substcont sprintf prtf -- can core dump crypt tie untie dbmopen dbmclose sselect select pipe_op sockpair getppid getpgrp setpgrp getpriority setpriority localtime gmtime entertry leavetry -- can be used to 'hide' fatal errors entergiven leavegiven enterwhen leavewhen break continue smartmatch custom -- where should this go
atan2 sin cos exp log sqrt
These ops are not included in :base_core because they have an effect beyond the scope of the compartment.
:base_core :base_mem :base_loop :base_orig :base_thread
This list used to contain :base_io prior to Opcode 1.07.
If safety matters to you (and why else would you be using the Opcode module?) then you should not rely on the definition of this, or indeed any other, optag!
stat lstat readlink ftatime ftblk ftchr ftctime ftdir fteexec fteowned fteread ftewrite ftfile ftis ftlink ftmtime ftpipe ftrexec ftrowned ftrread ftsgid ftsize ftsock ftsuid fttty ftzero ftrwrite ftsvtx fttext ftbinary fileno
ghbyname ghbyaddr ghostent shostent ehostent -- hosts gnbyname gnbyaddr gnetent snetent enetent -- networks gpbyname gpbynumber gprotoent sprotoent eprotoent -- protocols gsbyname gsbyport gservent sservent eservent -- services gpwnam gpwuid gpwent spwent epwent getlogin -- users ggrnam ggrgid ggrent sgrent egrent -- groups
The :browse tag represents the next step beyond :default. It is a superset of the :default ops and adds :filesys_read the :sys_db. The intent being that scripts can access more (possibly sensitive) information about your system but not be able to change it.
:default :filesys_read :sys_db
sysopen open close umask binmode open_dir closedir -- other dir ops are in :base_io
link unlink rename symlink truncate mkdir rmdir utime chmod chown fcntl -- not strictly filesys related, but possibly as dangerous?
backtick system fork wait waitpid glob -- access to Cshell via <`rm *`>
exec exit kill time tms -- could be used for timing attacks (paranoid?)
SystemV Interprocess Communications:
msgctl msgget msgrcv msgsnd semctl semget semop shmctl shmget shmread shmwrite
require dofile caller runcv
chdir flock ioctl socket getpeername ssockopt bind connect listen accept shutdown gsockopt getsockname sleep alarm -- changes global timer state and signal handling sort -- assorted problems including core dumps tied -- can be used to access object implementing a tie pack unpack -- can be used to create/use memory pointers hintseval -- constant op holding eval hints entereval -- can be used to hide code from initial compile reset dbstate -- perl -d version of nextstate(ment) opcode
syscall dump chroot
Safe --- Opcode and namespace limited execution compartments
Split out from Safe module version 1, named opcode tags and other changes added by Tim Bunce.