in reply to Perl module search engine

Allowing any regular expression is very dangerous, e.g.: 
my $re = qr|(?{system 'cat /etc/passwd'})|;
"any string" =~ $re;

[download]
Update: thanks to moritz for explaining that this example isn't actually a problem. However, checking (and laundering) tainted data is always a good idea, specially when dealing with web apps.

Replies are listed 'Best First'.
Re^2: Perl module search engine
by moritz (Cardinal) on Jun 15, 2008 at 14:50 UTC
    That's not a problem if the regex comes from the outside world: 
    $ perl -wle ' "any string" =~ m/$ARGV[0]/' "(?{system 'cat /etc/passwd
+'})"
Eval-group not allowed at runtime, use re 'eval' in regex m/(?{system 
+'cat /etc/passwd'})/ at -e line 1.

    [download]

    The real problem are denial-of-service attacks with endlessly backtracking regexes.

[reply]
[d/l]
      ...endlessly backtracking regexes.

      Could you please provide an example? I would like to investigate it and see if there's a problem. Thanks.

      I always envisioned HTML::Perlinfo::Modules as something Perl developers might use, not the general public (which is why I wasn't too concerned that the HTML was absolutely perfect). You know, something you could install in your local intranet to see what's on your system.

[reply]
        Could you please provide an example?
        perl -wle '$_="abc" x $ARGV[0]; m/(((.){1,20}.+){1,34}){2,4}[d]/' 10

        [download]

        And now tell me how long your perl takes to find out that this regex fails ;-)
        $ARGV[0]time in s
        30.003
        40.016
        50.167
        62.0
        723.8
        8146

        I wasn't patient enough to see how long it takes to match with $ARGV[0] == 9, or in other words against 27 characters of input.

[reply]
[d/l]
[select]

In Section Code Catacombs