in reply to Re: User regexps
in thread User regexps

And you should of course be aware of source code injection. Suppose the user specifies: "a/; system( 'some evil command' ); m/a" and your code is: 
eval "m/$query/";

[download]
But that's not the code! Read the post. The code is: 
my $re = $_->regex;
$matchtext =~ /$re/i;

[download]
There's no danger of source code injection here (unless there's an unseen use re 'eval' in an enclosing scope.

Abigail

Replies are listed 'Best First'.
Re: Re: User regexps
by dd-b (Pilgrim) on Jan 14, 2004 at 18:22 UTC
    Took me a while to understand why the second was safe and the first wasn't. Thanks for putting them side by side, clearly labeled, for me to think about. I would have used the second without worry, and the first (anything with an eval on user data) always worries me, but that's just habbit. Looking at these two examples bumped it back up to real understanding again, which is always nice.
[reply]

In Section Seekers of Perl Wisdom