I'm writing a little language in Perl (http://www.bearscript.com/docs/) and am adding support for doing regular expressions within the code.

The one I'm concerned about is the replace function, which is the equivelant of s///. This is because I want the user to be able to do backreferences, which as far as I can tell, based on another Perlmonks seeker of wisdom, is only possible using the /ee modifier.

This is essentially what I've got at the moment. This very simply converts a UK date to an ISO date.

$date = "10-09-2004";

print &replace($date, q"(\d+)-(\d+)-(\d+)", q"$3-$2-$1"), "\n";

sub replace {

    my $value                = shift;
    my $this                = shift;
    my $with                = shift;
    my $modifiers            = shift;

    $this = &pattern($this, $modifiers);

    if ($modifiers =~ /g/) {
        $value =~ s/$this/qq{qq{$with}}/gee;
    } else {
        $value =~ s/$this/qq{qq{$with}}/ee;
    }

    return $value;

}

sub pattern {

    my $pattern                = shift;
    my $modifiers            = shift;

    if ($modifiers =~ /[^gism]/) {
        die "Only m, i, s and g are valid pattern modifiers.";
    }

    $modifiers =~ s/g//;

    return qr"(?$modifiers)$pattern";

}

[download]

Now bare in mind that the first two lines there are essentially generated by my interpreter (well, it generates code that is equivelant to that), so it's always a q"" construct when passing the parameters to the functions (which are hand-written and not generated by the interpreter). So nothing is interpolated before it's passed through to the function.

My question is one of security. Since I'm essentially eval'ing the value of $with, what could they possibly include within the third parameter of the call to &replace that could do something nasty? I'm aware the user could peek at the Perl variables they normally don't see, but that's not an issue. And when I've tried to include calls to functions and other things within that parameter, I've not managed to get any unwanted side-effects. But maybe I'm just not creative enough. Am I missing something here, is this safe?

In reply to Security with /ee modifier by richard5mith

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.