Re^3: How to do regex backreferences within $variable replacement text?

~~GrandFather missed another e~~. GrandFather fixed it

$user_defined_string =~ s/$user_defined_search/$user_defined_replace/e
+eg;

__END__
before: abcabcabc
after: ---a---bc---a---bc---a---bc
[download]

Now back to your security issue, here is a simple thing to do as a replacement and you will get the username. In otherwords it is really dangerous as pointed out by Zaxo and GrandFather

my $user_defined_replace = '`whoami`';

before: abcabcabc
after: xxx
bcxxx
bcxxx
bc
[download]

Note: in the above xxx stands for the username

Update: I might be wrong but I cannot see a nice way to handle user definied substitutions... If you give them control to becomoe part of your script (i.e. they give some code to be executed inside your script) then they can do whatever they want... A better would be to look through the string they send you and check for potentially harmful substitutions like backticks and other operators and then not execute if present.

Comment on Re^3: How to do regex backreferences within $variable replacement text? Select or Download Code

Replies are listed 'Best First'.
Re^4: How to do regex backreferences within $variable replacement text? by Hue-Bond (Priest) on Sep 18, 2005 at 01:17 UTC
A better would be to look through the string they send you and check for potentially harmful substitutions Better than that is to filter everything except known-good characters, like we do when untainting data. In fact, the OP program should run under taint mode. -- David Serrano	[reply]