Re: Security with /ee modifier

Others have answered the OP's original question about security but can I please ask people to stop promolgating this...

s/$this/qq{qq{$with}}/eeg;
[download]

It's wrong (even assuming $with can be trusted not to be malicious). It breaks even if $with contains an innocent closing brace. If you want to do this it's more resilient with a here doc.

s{$this}{
  chop( my $r = eval "<<_END_\n$with\n_END_" );
  die $@ if $@;
  $r;
}eg;
[download]

Comment on Re: Security with /ee modifier Select or Download Code

Replies are listed 'Best First'.
Re^2: Security with /ee modifier by gaal (Parson) on Oct 04, 2004 at 16:28 UTC
Which is more resilient, but not bulletproof, as I've pointed out. It breaks if $with contains `"\n_END_\n"` or starts with `"_END_\n"`.	[reply] [d/l] [select]
Re^3: Security with /ee modifier by bart (Canon) on Oct 05, 2004 at 05:48 UTC
It can be made safer by escaping this case. `print <<"_END_"; It works! \_END_ It really does. _END_` [download] which prints: It works! _END_ It really does. It works because apparently you can escape underscores with a backslash, and still have them as just a backslash. If you don't trust this perl feature — I can't say I've seen it documented anywhere, you might feel safer using something else as a delimiter, something that actually starts with a `\W` character, like "END". `print <<"END"; It works! \END It really does. END` [download] There isn't even a need to try and find something uniqueish. A plain "" will do. The complete code can then become: `$with =~ s/^\$/\\/mg; s{$this}{ my $r = eval qq[<<""\n$with\n*\n]; die $@ if $@; chop $r; $r; }eg;` [download]	[reply] [d/l] [select]
Re^4: Security with /ee modifier by gaal (Parson) on Oct 05, 2004 at 07:43 UTC
This breaks if the original contained the sequence `\*` . As for \-before-anything, it's sort of implied by the docs to `quotemeta`, but not really.	[reply] [d/l] [select]
Re^2: Security with /ee modifier by ihb (Deacon) on Oct 04, 2004 at 17:13 UTC
What you really should use is a `&qquote` function a la Data::Dumper. Such a function makes sure that the delimiter isn't in the input string. `ihb` Read argumentation in its context!	[reply] [d/l] [select]