I forced the issue when Ilya was initially hesitant by saying that I would have a CERT warning prepared against Perl 5.6.0 if this feature went in without the restriction, as it would open up holes worldwide to many naive sites.For reasons of security, this construct is for- bidden if the regular expression involves run- time interpolation of variables, unless the per- ilous "use re 'eval'" pragma has been used (see the re manpage), or the variables contain results of "qr//" operator (see the qr/STRING/imosx entry in the perlop manpage). This restriction is because of the wide-spread and remarkably convenient custom of using run- time determined strings as patterns. For exam- ple: $re = <>; chomp $re; $string =~ /$re/; Before Perl knew how to execute interpolated code within a pattern, this operation was com- pletely safe from a security point of view, although it could raise an exception from an illegal pattern. If you turn on the "use re 'eval'", though, it is no longer secure, so you should only do so if you are also using taint checking. Better yet, use the carefully con- strained evaluation within a Safe module. See the perlsec manpage for details about both these mechanisms.
-- Randal L. Schwartz, Perl hacker
In reply to •Re: Re: Re: How to identify invalid reg. expr.?
by merlyn
in thread How to identify invalid reg. expr.?
by armyk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |