Re: qr/string/ is not the same as qr/$var/ ?

Seems like you could eval it safely without compromising too much functionality if you chose some unlikely delimiters and eliminated them from the input:

use strict;
use warnings;

my $scary_regex = shift;
$scary_regex =~ tr/\cA//d;
# There are now no control-As in the string,
# so I can safely use them as delimiters

my $safe_pat = eval "qq\cA$scary_regex\cA";
my $safe_reg = qr/$safe_pat/;

print "Safe pat is $safe_pat; reg is $safe_reg\n";
[download]

Is there danger here that I don't see?

Update: Pustular Postulant pointed out that you could go straight to the regex, rather than having the intermediate $safe_pat string (just use qr instead of qq). When I was putting it together, something told me that wasn't safe, but I think it is.
Also note that \cA on the input works fine, if you actually want control-A in your pattern.

Caution: Contents may have been coded under pressure.

Comment on Re: qr/string/ is not the same as qr/$var/ ? Select or Download Code

Replies are listed 'Best First'.
Re^2: qr/string/ is not the same as qr/$var/ ? by Roy Johnson (Monsignor) on Apr 20, 2005 at 19:19 UTC
Eval, even just for double-quote(ish) interpolation, is still not safe, because it can interpolate `${BLOCK}` type expressions, and BLOCK can contain any arbitrary code. Try calling the above script with `${print "I coulda killed ya"}` as an argument. [I had a recommendation for plugging the hole, but it was wrong!] I am not aware of any other holes, but that doesn't mean there can't be any. Caution: Contents may have been coded under pressure.	[reply] [d/l] [select]
Re^3: qr/string/ is not the same as qr/$var/ ? by tlm (Prior) on Apr 20, 2005 at 20:09 UTC
That's a surprising loophole, since perl is aware of the danger of runtime evaluation of a regexp with an eval group: `% perl -e '/$ARGV[0]/' '(?{print "nasty\n"})' Eval-group not allowed at runtime, use re 'eval' in regex m/(?{print " +nasty\n"})/ at -e line 1. % perl -e 'eval qq(/$ARGV[0]/)' '(?{print "nasty\n"})' nasty` [download] the lowliest monk	[reply] [d/l]
Re^4: qr/string/ is not the same as qr/$var/ ? by Roy Johnson (Monsignor) on Apr 20, 2005 at 20:25 UTC
That's actually a different hole: you're using eval groups, while I'm using interpolation of a reference-block. Caution: Contents may have been coded under pressure.	[reply]