bobn has asked for the wisdom of the Perl Monks concerning the following question:

Playing around with Safe.pm to write a prog that would safely allow users to enter test strings and regexes and test matching. Found the following: 
#!/usr/bin/perl -w

use Safe;
$c = new Safe;

$c->permit_only( 
    qw(
        leaveeval
        const
    ));

$result = $c->reval('"A" =~ m/a/i') ? 'YES' : 'NO';

die "$@\n" if $@;

print "\$result = $result\n";

__END__

[download]
This works, even though I didn't permit 'match'.

Current output is "$result = YES".

Changing regex to delete the i causes "$result = NO"

eliminating either OP in the permit_only() cause the $c->reval to fail compilation with "<OP> item trapped by operation mask at (eval 2) line 1", as expected.

Shouldn't I need to permit 'match' for this to pass reval()?

This happens on perl 5.005_03, 5.6.0 and 5.8.0 on Linux, and , perl 5.6.1 form Activestate on WinNT. (The code on 5.8.0 permitted a few more OPs but still worked without 'match'). Since it happens on so many systems, I'm thinking I'm just missing something obvious.

--Bob Niederman, http://bob-n.com

Replies are listed 'Best First'.
Re: Catching m// with Safe.pm
by broquaint (Abbot) on Jun 09, 2003 at 10:19 UTC
    I think you may have hit upon a bug where the opmask (which controls which ops are allowed) flips too many bits as it were and allows more ops than it should (the permit sub does have a comment saying it needs more testing ...). It would be a good idea to send off an e-mail to the good folk of p5p who revel in this sort of low-level opcode munging.
    HTH

    _________
    broquaint

[reply]

      Bugreport sent 4 July 2003, ack'd on 14 July 2003.

      --Bob Niederman, http://bob-n.com
[reply]

        As of Jul 17, "Fixed In 5.8.1-RC1"

        --Bob Niederman, http://bob-n.com
[reply]

Back to Seekers of Perl Wisdom