in reply to eval() and security

my $x = <STDIN>;
eval($x);                               <-- eval EXPR

[download]
my $x = <STDIN>;
eval{ (my $s = "blah blah") =~ /$x/ }   <-- eval BLOCK

[download]
Despite the similarity in names, those are very different functions. You're really comparing 
eval($x)

[download]
with 
'' =~ /$x/

[download]

The regex engine has checks in place to prevents the execution of Perl code in interpolated variables, so it's pretty safe. (use re 'eval'; removes the checks. no re 'eval'; adds them.)

However, there is another class of problems you have to worry about. $x could contain a pattern that takes longer the life of the Universe to execute. This could be used to mount a denial of service attack.

Replies are listed 'Best First'.
Re^2: eval() and security
by halfcountplus (Hermit) on Nov 24, 2009 at 19:21 UTC
    However, there is another class of problems you have to worry about. $x could contain a pattern that takes longer the life of the Universe to execute. This could be used to mount a denial of service attack.

    Okay, thanks much ikegami.
[reply]

In Section Seekers of Perl Wisdom