The constructs that can contain code ((?{...}) and (??{...})) cannot be interpolated into a regexp by default. So as long as use re 'eval'; isn't used, they won't be able to execute arbitrary code.

However! It is possible for them to construct a regexp that will take until the death of the universe to process, causing a denial of service if left unchecked.

It's also possible to create a regexp that crashes Perl (by overflowing the stack, IIRC). That particular issue has been fixed in 5.10, I believe.

It's also possible to create a regexp that crashes Perl

There was a buffer overflow under some conditions that involve Unicode in the pattern, and a string that is matched against the pattern not being upgraded correctly.

There were patches for that overflow, and most operating systems should have been updated by now.

But it demonstrates that regexes are still a bit more fragile than normal scalars, and thus you should be extra carefull.

The only reliable way around regexes that take exponential time is to restrict the search time, and kill the process if it doesn't stop.

Thanks for your answers. I have now wrapped the regexp in a block with "no re 'eval'" at start. It is then further wrapped in a nested eval block with an alarm set to avoid the exponetial time issue.

Are you running in 'taint' mode? If not, this would be a good place to start with this kind of code. In this case, you'd have to sanitize the regex manually and then untaint it.

If you're not familiar with taint mode, check out http://perldoc.perl.org/perlsec.html.