DB<53> $EVIL= ',@{[say "kill all kitties!"]}'

  DB<54> $str = "2,4..9"

  DB<55> p $str =~ m/[^0-9,.]/           # OK

  DB<56> $str .= $EVIL

  DB<57> p $str =~ m/[^0-9,.]/           # NOT OK
1
  DB<58> eval $str
kill all kitties!
[download]

update

in order to avoid syntax error you need to check $@ to see if the eval was successful. NB line 82, not all errors are caught tho

  DB<80> @list = eval ",1..3"; unless($@){say for @list }

  DB<81> @list = eval "1..3"; unless($@){say for @list }
1
2
3

  DB<82> @list = eval "1.3"; unless($@){say for @list }
1.3
[download]

I think rejecting any $str containing anything which isn't a cipher, comma or dot prior to eval $str should be good enough

Not quite, since it would also accept ",....," and other things like that (one of the things I meant with "other subtle bugs"). Personally I would suggest both a regex like /\A(\d+(?:\.\.\d+)?)(?:,(?1))*\z/ and checking eval for errors. And at that level, the complexity is high enough that something like* tybalt89's solution is probably better.

* Update: By which I mean, something like tybalt89's solution with some added error checking ;-)

> both a regex like /\A(\d+(?:\.\.\d+)?)(?:,(?1))*\z/

That's overkill in that case,...

> and checking eval for errors.

... checking eval for errors is enough, once the code fails.

Your all-covered approach reminds me of parents insisting to drive their kids to school while they keep their bike's helmet on.

Like this you are scaring them away from learning how to bike by themselves.

Cheers Rolf
_{(addicted to the Perl Programming Language :)
Wikisyntax for the Monastery}