in reply to Re: Slurping search-replace patterns from a file
in thread RESOLVED: Slurping search-replace patterns from a file

Unfortunately, this is rather fragile - if "$repl" contains, say, a double quote, it breaks. My solution is somewhat similar, but it uses an actual "eval" so I can catch/warn about the errors: 

#!/usr/bin/perl -w
use strict;

while (<DATA>) {
    next unless /^\s*s\//;    # Minimal checking
    chomp;
    my ($pat, $repl) = (split '/') [1, 2];
    my $s = "foo";
    eval "\$s =~ s/$pat/$repl/";
    warn "Warning: $@" if $@;
    print "$s\n";
}

__DATA__
s/foo/bar/
s/(fo)o/bar$1/

[download]

--
"Language shapes the way we think, and determines what we can think about."
-- B. L. Whorf

Replies are listed 'Best First'.
Re^3: Slurping search-replace patterns from a file
by moritz (Cardinal) on Oct 14, 2008 at 15:49 UTC
    ... and is just as vulnerable to code injection as the original solution. Add this line to the __DATA__ section: 
    s/./${system "echo foo"}/

    [download]
    Or instead of echo foo you can write rm -rf ~/* - I think you get the idea pretty quickly.
[reply]
[d/l]
[select]

      Thanks for the feedback. The eval statement works (thanks for that), but as Moritz mentioned, it's very vulnerable. I don't expect this file to be exposed to malicious users, but it's still something I'd like to mitigate, if possible.

      I'm going through the documentation of String::Interpolate, and we'll see if that meets my needs.

      Thanks again for all the help.

      -HKS

[reply]
        Note that if you have malicious users, and they can run the program on behalf of someone else, you still have a problem even you eliminate all the evals. It's not too hard to write a pattern that takes a couple of million CPU years to conclude it's not going to match. Users may not be able to run arbitrary code - they still will be able to consume CPU cycles.
[reply]

In Section Seekers of Perl Wisdom