Re^3: eval() and security

I did not mean it as a literal runnable example, or I would have put it in code tags.

The key point is that you can run arbitrary code (provided it parses) inside a regex match. If you allow user data into the regex match, then the sky is the limit for exploits. (As anonymonk shows above, Taint mode is smart enough to hate that sort of thing)

Comment on Re^3: eval() and security

Replies are listed 'Best First'.
Re^4: eval() and security by Anonymous Monk on Nov 24, 2009 at 17:59 UTC
also there are regex patterns which will run forever, and there have been some that will overflowed buffers...	[reply]
Re^5: eval() and security by ikegami (Patriarch) on Nov 24, 2009 at 18:23 UTC
and there have been some that will overflowed buffers... The switch to a non-recursive engine in 5.10 should have fixed that.	[reply]
Re^6: eval() and security by Anonymous Monk on Nov 24, 2009 at 23:46 UTC
See Faulting application perl.exe, version 0.0.0.0, faulting module msvcrt.dll, version 7.0.2600.1106, fault address 0x0003334c.. I don't think the regex engine is the actual cause, but it triggers the error.	[reply]
Re^4: eval() and security by halfcountplus (Hermit) on Nov 24, 2009 at 18:07 UTC
The key point is that you can run arbitrary code (provided it parses) inside a regex match. I have thought this too, but in fact I cannot make it happen for all my trying, and I have never seen any security advisories about it, nor kind I find any examples of such a thing.	[reply]