Re: Re: $1 in variable regex replacement string

So I pose roughly the same question here that I posed to tadman -- if I go the /e or /ee route, what are the things that $repl might contain that could potentially do horrible things.

If I filter out '(?{...})' constructs, is that enough? If so, this solution is do-able.

Comment on Re: Re: $1 in variable regex replacement string

Replies are listed 'Best First'.
Re: Re: Re: $1 in variable regex replacement string by CountZero (Bishop) on Feb 13, 2003 at 07:01 UTC
Really bad thing could happen even outside `'(?{...})'` constructs. For example (this is something totally innocent, but you get the idea): `use strict; my $str = 'abcadefaghi'; my $pat = qr/(a.)/; my $repl = 'system dir '; $str =~ s/$pat/$repl/eeg;` [download] Of course you could try to filter out all system, exec and backticks, but that is only solving a small part of the possible problems as anything inside the $repl-variable gets run as a perl-program. CountZero "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Re: Re: $1 in variable regex replacement string
by CountZero (Bishop) on Feb 13, 2003 at 07:01 UTC

Really bad thing could happen even outside '(?{...})' constructs.

For example (this is something totally innocent, but you get the idea):

use strict;
my $str  = 'abcadefaghi';
my $pat  = qr/(a.)/;
my $repl = 'system dir ';
$str =~ s/$pat/$repl/eeg;
[download]

Of course you could try to filter out all system, exec and backticks, but that is only solving a small part of the possible problems as anything inside the $repl-variable gets run as a perl-program.

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

[reply]
[d/l]
[select]