I have a research-oriented database, online, accessible via my own web interface and open to public use. The application is set up to allow read-only access to the database, the CGI script is hosted on a linux server, and the script is definitely not set as setuid. I am not allowing any use of nested executable code inside the regex, via the following sort of rules during the parsing of the query:

return "ERROR: For security and bandwidth reasons, query may not conta
+in pure wildcards." if $SR_query =~ m/^[( ]*\.\s*(?:(?:\{\s*\d+\s*,?\
+s*\d*\s*})?|[*+?]*)[) ]*$/;
return "ERROR: Regex containing code disallowed." if $SR_query =~ m[\(
+\?\??\{];
[download]

Beyond these fundamental/basic protections against potential malicious actors, is there anything I might be blindly walking into by unleashing this capability in my website?

I have had to run a rather complicated subroutine on the query itself to prevent taint from objecting to it--even though the code is never "executed" other than being inserted into a m// to run against text drawn from the database prior to formatting the results for return to the browser. But this is a small price to pay for the very useful functionality of having regex-capable searches on the database.