Re: Regex Grumblings (Variable Interpolation)

My question is: Why is the regexp compiler lenient enough to recognize $bar straight out as a variable reference, but one level removed (via $foo) and it will not operate?

This is a Good Thing from a security perspective.

Suppose you had a place for me to type a regex on a web form. So it shows up in a Perl variable, which you interpet dynamically as above. If I learn of that, I merely enter $foo[`evil command`] for my regex, and I've now haxored your system.

No, the present system must stay. It's the only way to ensure no "double-level" of interpretation, an absolute requirement for security.

-- Randal L. Schwartz, Perl hacker

Comment on Re: Regex Grumblings (Variable Interpolation) Download Code

Replies are listed 'Best First'.
Re^2: Regex Grumblings (Variable Interpolation) by tadman (Prior) on May 23, 2001 at 19:54 UTC
I'm probably missing the boat here, but the documentation claims that since "patterns are processed as double-quoted strings, the normal double-quoted interpolations will work."¹ my $foo = "`ls`"; # "Evil" command my $bar = "$foo"; print $bar,"\n"; [download] All you get is: `ls` I wasn't hoping for a miracle to occur, just that $foo would be translated as literal string '$bar', and that the '$' would be recognized as just another ASCII character, not the end of line anchor. After all, if we're on the subject of evil, now this means that you can put all sorts of wacky stuff in your variable and it gets interpolated as regexp material, or at least jostles your program with a warning: `my $foo = '(?{die})'; s/$foo/XYZ/g; # Eval-group not allowed at runtime, use re 'eval'` [download] Maybe there should be a switch for regexps which cause any interpolated strings to be interpreted as just text and any meaning is disregarded. Of course, you can always do this with \Q and \E... ¹Programming Perl, 2nd Ed., pg. 60	[reply] [d/l] [select]
Re: Re^2: Regex Grumblings (Variable Interpolation) by chipmunk (Parson) on May 23, 2001 at 23:22 UTC
if we're on the subject of evil, now this means that you can put all sorts of wacky stuff in your variable and it gets interpolated as regexp material, Um, that's not evil, that's intentional. How else would you store a regular expression in a variable for later use? (Remember that qr// is only a recent addition to Perl.)	[reply]