in reply to User regexps

If you can't trust your users it would be better to allow just a limited subset of regexen ( maybe only allow the characters []()A-z0-9\s.+*?|- and nothing else ).

Replies are listed 'Best First'.
Re: User regexps
by Abigail-II (Bishop) on Jan 14, 2004 at 15:44 UTC
    And that's going to prevent you from danger exactly how?

    There are two potential dangers when running user supplied regexes. 1) arbitrary code injection and 2) resource exhaustion. 1) is not possible by default, only if you enable use re 'eval', or use string eval (which isn't done by the OP). 2) is a more serious problem, and can be archieved with the limited of characters you propose.

    Abigail

[reply]
[d/l]
      The resource exhaustion issues can be partly defended against using ulimit at the shell level, or suitable system calls. I don't actually know if there's a direct Perl interface to that; nothing in perlfunc anyway.
[reply]
[reply]
Re: Re: User regexps
by paulbort (Hermit) on Jan 15, 2004 at 20:37 UTC
    Whether you can trust your users isn't an issue. Whether you can trust anyone who might come across your UI anytime in the future is an issue.

    Out of general paranoia our CGI wrapper drops any characters that are not in {A-Za-z0-9-\/.@,: }. (And ':' was a recent addition, to support entering URLs.)

    --
    Spring: Forces, Coiled Again!
[reply]

In Section Seekers of Perl Wisdom