in reply to Re: user supplied regex substitution
in thread user supplied regex substitution

:) I wish the OP had linked Re^2: Passing a regex from a CGI HTML form (user supplied regex substitution without eval) as it links your regex tester :D

Replies are listed 'Best First'.
Re^3: user supplied regex substitution
by davido (Cardinal) on Sep 01, 2016 at 21:42 UTC

    Yes, that's where I began to learn how hard it is to safely accept user-supplied regexes, and started as an experiment in that regard. :)

    The tester uses Safe and some heuristics to reduce the vulnerability to introspection of globals and special variables. It uses Sys::SigAction to time-out long running regexes (and consequently, has a tendency to segfault from time to time), looks for a few common "bad player" type regexes... and still isn't safe. But it runs in a little heroku world, and when it does get cranky its scope is limited.


    Dave

[reply]
      much safer than string-eval though :)
[reply]

        Agreed!


        Dave

[reply]

In Section Seekers of Perl Wisdom