Re^2: Abbreviation regex?

++ I like the thinking outside the box. That said, you can only do that if $str comes from a trusted source. If, for example, you get it from user input, try this as input:

  abbr(?{system qw(format c:)})ev
[download]

Of course, that's only really a problem if you have enabled use re 'eval'; - but if you already need that for other purposes, you'll need to be very careful.

In fact, your "outside the box" is almost exactly described in the documentation for the (?{ code }) construct in perlre where it goes into a bit more detail and talks about ways to mitigate it.

Comment on Re^2: Abbreviation regex? Select or Download Code

Replies are listed 'Best First'.
Re^3: Abbreviation regex? by ikegami (Patriarch) on Jan 16, 2006 at 18:07 UTC
The injection attack (and the bug preventing the use of special characters) is fixed by simply adding `\Q`! `if ( "abbreviation" =~ m/^\Q$str/ ) { #...` [download]	[reply] [d/l] [select]
Re^3: Abbreviation regex? by fishbot_v2 (Chaplain) on Jan 16, 2006 at 18:02 UTC
Naturally... there are a number of downsides to this solution. The most obvious to me is overhead. If we are scanning a file, we need to recompile a trivial regex for each work. The `substr` solution above is much faster and safe from exploit. I've seen it somewhere before. I don't know where, though. I think that it resides in the place for things that are idiomatic but not useful enough to be idioms.	[reply] [d/l]