Re^4: Untaint a string match, regular expression.

It's trivial for a few things, but quickly becomes larger than life. The question is how do we securely interpret an re with a large enough feature-set to be useful for most things.

Looks like this may not be a concern and that's indeed an acceptable answer.

Comment on Re^4: Untaint a string match, regular expression.

Replies are listed 'Best First'.
Re^5: Untaint a string match, regular expression. by Anonymous Monk on May 18, 2015 at 00:48 UTC
It's trivial for a few things, but quickly becomes larger than life. The question is how do we securely interpret an re with a large enough feature-set to be useful for most things. Looks like this may not be a concern and that's indeed an acceptable answer. What do you mean by "securely", what is the security concern?	[reply]
Re^6: Untaint a string match, regular expression. by cheako (Beadle) on May 18, 2015 at 01:00 UTC
How do ppl know there isn't one? The default is to assume there is and this is held above hoping there isn't. perlsec has a good indication that it's probably not a good idea. If that's true then what should users turn to? From what I understand of the three bad things only two are un-accounted for. Execution arbitrary code. Not likely, perl works to prevent this. Taking up huge ammounts of memory. Taking longer than time its self to complete.	[reply]
Re^7: Untaint a string match, regular expression. by Anonymous Monk on May 18, 2015 at 01:11 UTC
Taking up huge ammounts of memory. Taking longer than time its self to complete. That is easy, let parent monitor child process, kill it if it breaches time/memory limits.... use OS specific process controls where available (ulimit -a and what not)	[reply]