in reply to Re: Validating Regular Expression
in thread Validating Regular Expression

I could just be timid, but I would not trust myself to filter this type of input from an untrusted source. Nefarious people are sometimes smarter than me and always have more time and motivation, so I would not put this tool anywhere they could use it to elevate permissions. Sure you could swap my routine above to 
sub validate{
    my $pat = shift;
    return if $pat =~ /\(\?{1,2}\{/;
    return eval{qr/$pat/};
}

[download]
to filter out code evaluation and pattern code expressions (A bit of magic: executing Perl code in a regular expression), but I'm sure I'd miss some clever escape or exploit of the regex engine. This is the sort of thing where the feature is not worth the effort to secure it properly.

Replies are listed 'Best First'.
Re^3: Validating Regular Expression
by Anonymous Monk on Feb 15, 2011 at 17:54 UTC

    Hi,

    I'm not too worried about them trying to attack using this. It's their own PC it's running on! Would be a pain if it was a web application or similar but this is just a local Tk app.

    If they can escalate privileges in any way then that's a fault in the OS or the IT setup. Either way, Not My Problem (Tm)!!

    Graham

[reply]

In Section Seekers of Perl Wisdom