The outer eval is indeed not needed. Both forms of eval catch exceptions.

As long as $suffix is constrained to /^[xismg]+\z/, there should be no security issues from the eval. There are, however, security issues with regexes, though. The following should be a good *start*:

my $string = ...;
my $regexp = ...;
my $new    = ...;
my $suffix = ...;

my $timeout = 2;

my $output;

$suffix =~ /^[xismg]+\z/
   or die("Bad suffix\n");

my $sop = eval "sub { s/\$regexp/\$new/$suffix }";
   or die("Bad regexp: $@\n");

eval {
   local $SIG{ALRM} = sub { die "Alarm\n" };
   alarm($timeout);
   $sop->() for $output = $string;
   1
} or die("Timeout\n");
[download]

The denial of service isn't completely addressed. Even though the search is limited to $timeout seconds, the user can send requests faster than once a second.

The security risk from bugs in the regexp engine isn't addressed at all.