Mind the meta!

I was a little surprised that in a recent thread no one seemed to flinch at code that was essentially the equivalent of $logged_in = $expect_pass=~/$FORM{pass}/i;.

If you happen to be wondering "Why is that bad?" - Because $FORM{pass} most likely comes from an HTML form (or at the very least could contain user input), and its contents will be interpolated into and interpreted as a regular expression, leaving the user free to input ".*", which of course matches anything, and so the user is always logged in!

One solution is to use /\Q$FORM{pass}\E/, which causes characters that would normally be special in a regular expression to be escaped - see quotemeta. In addition, the regex should probably be anchored, to prevent partial matches: /^\Q$FORM{pass}\E$/. Of course, in this example the much easier solution is to just use $expect_pass eq $FORM{pass} instead of a regex!

I feel like \Q...\E is forgotten too often when interpolating variables into regexes, and it seems to be often overlooked here on PerlMonks when people post code like the above. In fact, I see it forgotten often enough that I think instead \Q...\E should be everyone's default thought when interpolating variables into regular expressions, only to be left off when one has a good reason to (like dynamically building regexes - but of course doing that with unchecked user input is dangerous!).

So please, mind the meta(characters) and remember \Q...\E!

Comment on Mind the meta! Select or Download Code

Replies are listed 'Best First'.
Re: Mind the meta! by Eily (Monsignor) on Mar 02, 2016 at 08:48 UTC
If you need to check that a string is included in another, index will often do both a faster and safer job. You'll need to lc both variables for a case insensitive comparison though. And when it comes to security with user input, Taint mode is probably what you should rely on, rather than just expecting to never leave a security hole through multiples evolutions and corrections.	[reply]
Re: Mind the meta! by LanX (Saint) on Mar 03, 2016 at 22:08 UTC
Since when is a regex better than `eq` to check a password? Cheers Rolf _{(addicted to the Perl Programming Language and ☆☆☆☆ :) Je suis Charlie!}	[reply]
Re^2: Mind the meta! by Anonymous Monk on Mar 04, 2016 at 11:24 UTC
Understand what you're saying, but the fc and `\F` are since v5.16. "Since when is it better to case-fold passwords?" :^)	[reply] [d/l]
Re^3: Mind the meta! by LanX (Saint) on Mar 04, 2016 at 12:02 UTC
OK I missed the case insensitive `/i` part, mea culpa! > "Since when is it better to case-fold passwords?" :^) For me case folding of passwords is a reason to ignore a discussion thread ... ;-) Cheers Rolf _{(addicted to the Perl Programming Language and ☆☆☆☆ :) Je suis Charlie!}	[reply] [d/l]
Re^4: Mind the meta! by Your Mother (Archbishop) on Mar 04, 2016 at 12:34 UTC
Re^5: Mind the meta! (case, DBs) by tye (Sage) on Mar 04, 2016 at 14:50 UTC
Some notes below your chosen depth have not been shown here
Re^5: Mind the meta! by LanX (Saint) on Mar 04, 2016 at 12:46 UTC
Some notes below your chosen depth have not been shown here
Re^5: Mind the meta! by Anonymous Monk on Mar 04, 2016 at 13:29 UTC
Re: Mind the meta! by mr_mischief (Monsignor) on Mar 03, 2016 at 15:14 UTC
Far better would be to hash the password and check that the hash exactly matches the expected hash of the password, and to only store the password pre-hashed.	[reply]