in reply to Re^2: Passing a regex from a CGI HTML form (user supplied regex substitution without eval)
in thread Passing a regex from a CGI HTML form

Seems like these types of modules try to make an explicitly unsafe course of action less unsafe.

From String::Interpolate::RE Docs -
This module interpolates variables into strings using regular expression matching rather than Perl's built-in interpolation mechanism and thus hopefully does not suffer from the security problems inherent in using eval to interpolate into strings of suspect ancestry.

From String::Interpolate Docs -
Because the Perl string interpolation engine can call arbitrary Perl code you do not want to want to use it on strings from untrusted sources without some precautions. For this reason String::Interpolate objects can be made to use Safe compartments. This is, of course, only as safe as Safe and you are advised to read "WARNING" section of the Safe documentation.

Your code did not compile for me, but I guess the point is to try and override the substitution operator with some subset of safer features. I acknowledge that could be successful, but also the op could just use eval in any context where all user input is trusted and be fine. The OP is troubleshooting his gambling code on the clock here so every second counts.

  • Comment on Re^3: Passing a regex from a CGI HTML form (user supplied regex substitution without eval)

Replies are listed 'Best First'.
Re^4: Passing a regex from a CGI HTML form (user supplied regex substitution without eval)
by Anonymous Monk on Sep 01, 2016 at 02:21 UTC

    You gotta have a canned solution for ignorant newbees and impatient veterans

    Its not like it takes long to DIY-up a little safety, I typed up the above in preview box, now tested, with own Turpolate 

    use String::Interpolate::RE qw( strinterp );
print Substitution("BellyAche\n", '([a-z])([A-Z])', '$1    $2', '');
print Substitution("BellyAche\n", '([a-z])([A-Z])', '$1    $2', 'g');
sub Substitution {
    my( $in, $re, $rep, $flags ) = @_;
    my $global  =  $flags =~ m{g}i;
    my $qrFlags =  join '', $flags =~ m{([msixpodualn])}i;
    $qrFlags = "(?$qrFlags)";
    $re = qr{$qrFlags$re};
    if( $global ){
         $in =~ s{$re}{
           Replace($rep, \%+,{1=>$1,2=>$2,3=>$3});
         }gex;
    } else {
         $in =~ s{$re}{
           my $vars = {
               %+, 1=>$1, 2=>$2, 3=>$3,
           };
           Turpolate( $rep, $vars );
         }ex;
    }
    return $in;
}
sub Turpolate {
    my( $str, $vars ) = @_;
    $str =~ s{\$(\w+)}{
        exists $vars->{$1}
        ? $vars->{$1}
        : '$'.$1
    }gex;
    return $str;
}
sub Replace {
    my( $rep, $named, $numed ) = @_;
    my $vars = { %$named, %$numed, 'bananas','bananas' };
    return strinterp( $rep, $vars );
}
__END__
Belly    Ache
Belly    Ache

    [download]
[reply]
[d/l]
      print Substitution("canned","working"); #canned
print Substitution("canned","compiles",'$1 $2','g'); #canned
print Substitution("canned","flawed",'$1 $2'); #canned
print Substitution("canned",".*",`ls`); #first directory entry
`touch down`;
print Substitution("canned",".*",`rm down`); #deleted file

      [download]
[reply]
[d/l]

        Heheh, what do you think that proves?

[reply]

In Section Seekers of Perl Wisdom