Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Re: User regexps

by Fletch (Bishop)
on Jan 14, 2004 at 15:09 UTC ( [id://321270]=note: print w/replies, xml ) Need Help??


in reply to User regexps

If you can't trust your users it would be better to allow just a limited subset of regexen ( maybe only allow the characters []()A-z0-9\s.+*?|- and nothing else ).

Replies are listed 'Best First'.
Re: User regexps
by Abigail-II (Bishop) on Jan 14, 2004 at 15:44 UTC
    And that's going to prevent you from danger exactly how?

    There are two potential dangers when running user supplied regexes. 1) arbitrary code injection and 2) resource exhaustion. 1) is not possible by default, only if you enable use re 'eval', or use string eval (which isn't done by the OP). 2) is a more serious problem, and can be archieved with the limited of characters you propose.

    Abigail

      The resource exhaustion issues can be partly defended against using ulimit at the shell level, or suitable system calls. I don't actually know if there's a direct Perl interface to that; nothing in perlfunc anyway.
Re: Re: User regexps
by paulbort (Hermit) on Jan 15, 2004 at 20:37 UTC
    Whether you can trust your users isn't an issue. Whether you can trust anyone who might come across your UI anytime in the future is an issue.

    Out of general paranoia our CGI wrapper drops any characters that are not in {A-Za-z0-9-\/.@,: }. (And ':' was a recent addition, to support entering URLs.)

    --
    Spring: Forces, Coiled Again!

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://321270]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (6)
As of 2024-03-29 11:43 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found