in reply to Re: Vulnerabilities when editing untrusted code... (Komodo)
in thread Vulnerabilities when editing untrusted code... (Komodo)

looks like this has been taken care of!

D:\tmp\pm>type unsafe_regex_BEGIN.pl
exit;

'' =~ ('(?{B'.'EGIN{die "owned"}})');


D:\tmp\pm>perl -c unsafe_regex_BEGIN.pl
Eval-group not allowed at runtime, use re 'eval' in regex m/(?{BEGIN{d
+ie "owned"
}})/ at unsafe_regex_BEGIN.pl line 3.

D:\tmp\pm>perl -v

This is perl 5, version 32, subversion 1 (v5.32.1) built for MSWin32-x
+64-multi-thread

[download]

Tho I don't understand the message. Why "runtime"???

update

found this https://github.com/rurban/perl-compiler/issues/137 and mailed Reini asking for insight. :)

Cheers Rolf
(addicted to the Perl Programming Language :)
Wikisyntax for the Monastery

  • Comment on Re^2: Vulnerabilities when editing untrusted code... (compiletime injection in regex)
  • Download Code

Replies are listed 'Best First'.
Re^3: Vulnerabilities when editing untrusted code... (compiletime injection in regex)
by LanX (Saint) on Oct 06, 2021 at 15:24 UTC
    OK the term "eval-group" seems to refer to an optimization which concats 2 strings °

    '' =~ ('STRING1'.'STRING2');

    but if you don't bother splitting up the BEGIN you can still inject code at compiletime :(

    D:\tmp\pm>type unsafe_regex_BEGIN.pl
exit;
'' =~ m/(?{ BEGIN{ die "owned"} })/ ;

D:\tmp\pm>perl -c unsafe_regex_BEGIN.pl
owned at unsafe_regex_BEGIN.pl line 2.
BEGIN failed--compilation aborted at unsafe_regex_BEGIN.pl line 2.

D:\tmp\pm>

    [download]

    Cheers Rolf
    (addicted to the Perl Programming Language :)
    Wikisyntax for the Monastery

    °) and variable interpolation in general see re#'eval'-mode

[reply]
[d/l]
[select]

In Section Meditations