You just allowed arbitrary code to be placed in the url. Considering the code appears in a CGI script, that doesn't seem to be a good idea.

If you want a template (that's what '$1' is here), use a template, not eval EXPR!!!

It's an admin function. I fully trust the source of where these rules are created. Regular users cannot do this and the function is well protected.

Think of it like giving them root access. If root wants to do an "rm -rf /" that's the power of root.

With great power comes great... well, you know.

Turn on taint #!/usr/bin/perl -T-- just the same.

That's why I wrote this:

I can't say I recommend that, however, especially if you don't trust the source of your real $out.

There's no "if". $ENV{REQUEST_URI} is controlled by remote users.

Even ignoring the evident trust issues, eval is simply not the right tool.

This code runs two sites, there is an admin function that allows site admins to create URL translators (old product links to new product links). Basically, they add patterns and those get stored in a database (it doesn't work yet though).

I don't want to hard code the patterns (as both sites are very different) and also there needs to be a way to add these rules as broken links are found.

Make sense? Code looks something like this:

        my $req = $ENV{REQUEST_URI};

        ## Get rules
        my $query = qq~
                SELECT incoming, outgoing, id
                FROM url_translate
        ~;
        my $sth = $dbh->prepare($query);
        my $rv = $sth->execute;

        while (my $r = $sth->fetchrow_hashref) {

                my $in  = $r->{incoming};
                my $out = $r->{outgoing};

#               if( s#$in#$out#i ) {
                if( $req =~ s#/Products/bt-(.*?).aspx#/s/Products/$1#i
+ ) {
                        $ENV{REQUEST_URI} = $req;
                        return;
                }

        }

        return;
[download]

my $out = '/s/Products/$1';

$ENV{REQUEST_URI} =~ s/$in/eval qq{"$out"}/ie;
[download]

Thanks for your help!

What ikegami points out is also important to recognize. Anyone who can access to the site can feed in a URL with anything in it. As such, they may be able to choose a value for $1 with Dire Consequences.

For example, $1 = q{";system('shutdown -h now');"}

Ok, I see what you are saying. But, would that really happen execute?

For example:

#!/usr/bin/perl

use strict;
use warnings;

$ENV{REQUEST_URI} = "/Products/bt-;system('ls -l');.aspx";

my $in  = '/Products/bt-(.*?).aspx';
my $out = '/s/Products/$1';

$ENV{REQUEST_URI} =~ s#$in#eval qq{"$out"}#ie;

print "$ENV{REQUEST_URI}\n";
[download]

Prints out this:

/Products/bt-;system('ls -l');.aspx
[download]

But, the eval isn't actually executing that command. Or, did I not do this test correctly?