in reply to Re^2: Using Regexp Patterns as Variables
in thread Using Regexp Patterns as Variables

What ikegami points out is also important to recognize. Anyone who can access to the site can feed in a URL with anything in it. As such, they may be able to choose a value for $1 with Dire Consequences.

For example, $1 = q{";system('shutdown -h now');"}

Replies are listed 'Best First'.
Re^4: Using Regexp Patterns as Variables
by Rodster001 (Pilgrim) on Mar 18, 2009 at 17:26 UTC
    Ok, I see what you are saying. But, would that really happen execute?

    For example: 

    #!/usr/bin/perl

use strict;
use warnings;

$ENV{REQUEST_URI} = "/Products/bt-;system('ls -l');.aspx";

my $in  = '/Products/bt-(.*?).aspx';
my $out = '/s/Products/$1';

$ENV{REQUEST_URI} =~ s#$in#eval qq{"$out"}#ie;

print "$ENV{REQUEST_URI}\n";

    [download]
    Prints out this: 
    /Products/bt-;system('ls -l');.aspx

    [download]
    But, the eval isn't actually executing that command. Or, did I not do this test correctly?
[reply]
[d/l]
[select]

      The test I had in mind was what you have but with: 

      $ENV{REQUEST_URI} = q{/Products/bt-";system('ls -l');".aspx};

      [download]

      I tried that too, and it also doesn't do anything. That's because all eval sees is ""/s/Products/$1"". The variable gets interpolated, but it doesn't execute the result. Given that, maybe there really isn't anything the user can do.

[reply]
[d/l]
[select]
        Or if that doesn't reach the translator, the following surely would: 
        $ENV{REQUEST_URI} = q{/Products/bt-foo.aspx?evil=";system('ls -l');".a
+spx};

        [download]

        The solution is to use a more restrictive pattern: 

        my $in = '/Products/bt-(\w+).aspx';

        [download]

        That something as innocent as using .* in the pattern opens such a big security hole indicates a fundamental problem with the approach.

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom