Re: Untaint a string match, regular expression.

To sum up the best advice I've seen.

Suggest to add no re 'eval'; to ensure it's off
Use a sub-process(fork) with to BSD::Resource(even on Linux) to ulimit memory and kill the child after some timeout

Perhaps #2 is overkill, there may be a simpler method, like additional flags to #1. Suggest to add a maxiterations to limit the number of times re is allowed to loop and maxmem.

References:

Comment on Re: Untaint a string match, regular expression. Download Code

Replies are listed 'Best First'.
Re^2: Untaint a string match, regular expression. by hdb (Monsignor) on May 18, 2015 at 07:53 UTC
Depending on your application, I would really only let the user input wildcards like "*" and "?" (DOS style), not regular expressions. Alternatively, if the data to be matched comes from a database SQL style wildcards could be an alternative. Everything else will be escaped. This is easy to implement and will not create trouble with security or memory. It will also go a long way, probably for most applications. If you look at PM's Super Search, it works without any regular expressions but is still quite powerful.	[reply]

Replies are listed 'Best First'.

Re^2: Untaint a string match, regular expression.
by hdb (Monsignor) on May 18, 2015 at 07:53 UTC

Depending on your application, I would really only let the user input wildcards like "*" and "?" (DOS style), not regular expressions. Alternatively, if the data to be matched comes from a database SQL style wildcards could be an alternative. Everything else will be escaped.

This is easy to implement and will not create trouble with security or memory. It will also go a long way, probably for most applications.

If you look at PM's Super Search, it works without any regular expressions but is still quite powerful.

[reply]