eXile has asked for the wisdom of the Perl Monks concerning the following question:

Hi, I have this cgi script which is basically just a wrapper around YAPE::Regex::Explain : 
#!/usr/bin/perl
use strict;
use CGI;
use YAPE::Regex::Explain;

my $cgi = CGI->new();
die unless $cgi->param('regex'); 
my $regex = $cgi->param('regex');

print $cgi->header('text/plain');
print YAPE::Regex::Explain->new(qr/$regex/)->explain;

[download]
I'm wondering if it is secure to pass $regex into YAPE::Regex::Explain this way, and if not please provide me with a way this could be exploited security-wise.

Replies are listed 'Best First'.
Re: CGI script security: putting untainted input into a qr//
by merlyn (Sage) on Apr 14, 2005 at 02:21 UTC
    Because you don't have use re 'eval' in scope, you're safe from arbitrary code execution. However, you might still get a denial-of-service attack on a long running regex, or perhaps a cross-site-scripting attack because you haven't escaped your less-thans in your print.

    -- Randal L. Schwartz, Perl hacker
    Be sure to read my standard disclaimer if this is a reply.

[reply]
[d/l]
      thanks!

      I'm only wondering about the cross-site-scripting because I'm printing text/plain, so in theory no html is shown/executed, or is there?

[reply]
[reply]

        IIRC, IE will try to do the right thing (for its definition of the right thing). Even if you make it text/plain, I think it may render it as HTML if it looks like HTML.

        Update: Just checked this, and yes it does. The following code, in s.txt, renders as HTML in IE.

        <A HREF="/">Root</A>
<IMG SRC="/logo.jpg">

        [download]

        --MidLifeXis

[reply]
[d/l]

Back to Seekers of Perl Wisdom