in reply to Security with /ee modifier

The user can run arbitrary code (just like eval $tainted_data). If you want to allow that, I suggest you use the Safe module (example RegexLab (a wxPerl version)).

If all you want to allow is backreferences, all you need is 1 eval, something like (untested): 

      my %backrefs;
      my( @backrefs ) = $with =~ /\$(\d+)/g;
      if ($modifiers =~ /g/) {
          $value =~ s/$this/
                        no strict 'refs';
                        @backrefs{@backrefs} = map { ${$_} } @backrefs
+;
                        my $ret = $with;
                        $ret =~ s'\$(\d+)'$backrefs{$1}'g;
                        undef %backrefs;
                        $ret; 
                    /ge;
      } else {
...

[download]

MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
** The third rule of perl club is a statement of fact: pod is sexy.

Replies are listed 'Best First'.
Re^2: Security with /ee modifier
by richard5mith (Beadle) on Sep 26, 2004 at 15:32 UTC

    Interesting, I like that approach.

    Although any time I put arbitary code in my example, it doesn't get run, even though I expected it to be. Whatever I put, other than variable names, just gets printed (other function calls, built-in function names, anything).

[reply]
[reply]
[d/l]
      ...Whatever I put...
      it has to be perl code that compiles, like $with = q|}; warn "\n# Hi" while 1; q{|; or $with = q|${warn "\n# hi" while 1}|;

      MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
      I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
      ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]
[select]

        And now it all becomes clear.

        I'll go with your proposed solution that simply allows backreferences. Thanks.

[reply]

In Section Seekers of Perl Wisdom