in reply to Question on evaulating a user built regex

Security Hazard!

Are you sure you want to evaluate a user regexp? The user can insert a (?{...}) construct to include some Perl executable code, which can in turn include a call to system, or backticks, which can contain very bad things.

And there is more than one way to do nasty things. The user can write a Denial-of-Service regexp, a regexp which backtracks a lot and locks your machine. See Mastering Regular Expressions page 140+ (the book with two owls on the cover)

Update

Yes, Perlplexer, you are right. The security hazards are mostly irrelevant in a Perl/Tk program. Yet, my warning still holds for any monk who would use the answers in this thread for a CGI program (or any client-server app for that matter).

  • Comment on Re: Question on evaluating a user built regex

Replies are listed 'Best First'.
Re: Re: Question on evaluating a user built regex
by perlplexer (Hermit) on Apr 23, 2002 at 13:06 UTC
    He is using Tk...
    If the user of that Tk app so desires, he can surely lock up his own PC... but who cares? ;)

    --perlplexer
[reply]

In Section Seekers of Perl Wisdom