mt2k has asked for the wisdom of the Perl Monks concerning the following question:

Could the following regular expression prove to be dangerous to the server:

if ($string =~ /$input{'variable'}/gis) {
#Some processing
}

[download]

The $input{'variable'} variable would be a value entered from a textfield from a CGI script.

I don't think entering commands does anything, but I noticed that you can enter special characters, such as charater classes, parentheses, periods, carets, and dollar signs. So is there any danger of files being deleted, or anything else I would want to class as bad?? Or would it just allow some nice restrictions for a search engine??

So if it is dangerous somehow, I should use:

if ($string =~ /\Q$input{'variable'}/) {
#blah blah blah...
}

[download]
right??

Replies are listed 'Best First'.
Re: Regex Dangerous??
by merlyn (Sage) on Mar 23, 2001 at 04:52 UTC
    Amongst other potential dangers, there's a "denial of service" attack trivially possible with a short regex that fails to match, but fails to match in exponentially countable ways. See Jeffrey Friedl's "Mastering Regular Expressions" for a discussion of this.

    Solution: make sure you have a timeout alarm set.

    -- Randal L. Schwartz, Perl hacker

[reply]
Re: Regex Dangerous??
by mt2k (Hermit) on Mar 23, 2001 at 04:50 UTC
    Though I just found out I'd have to use something like: 
    $input{'variable'} =~ s/\\/\\\\//gs;

    [download]
    because otherwise you get a server error if you simply type in '\'
[reply]
[d/l]
      Well, you'll get server errors for a lot more than that. Any invalid regex will bollux you. What you need to do is wrap it in an eval block, and capture the $@ variable. Standard exception-handling stuff.

      -- Randal L. Schwartz, Perl hacker

[reply]

Back to Seekers of Perl Wisdom