Re: using just variables in a regular exression

The former behavior is documented in perlop, under the "Binding Operators" section, where it states:

If the right argument is an expression rather than a search pattern, substitution, or transliteration, it is interpreted as a search pattern at run time.

This is a slightly dangerous behavior, though no more so than the act of passing a user-supplied pattern as $data =~ m/$user_pattern/. A user could supply a masterfully crafted (or simply grossly naive) pattern that results in massive amounts of memory consumption and near infinite looping inside the regex engine. And it's next to impossible to pre-process the user-supplied pattern in a way that will prevent this potential risk while at the same time retaining the legitimate functionality of the regex language.

To get the ability for a user-supplied operator (such as s///) to be executed, you've got a couple of choices: One is to elevate your security risk a few levels higher by using string eval to evaluate the user-supplied code (this is usually a bad idea). Another is to create logic in your program that allows a user to specify whether he wants substitution or simple matching, and then supply the operators yourself. For example:

use strict;
use warnings;

my $data         = "Just another Perl hacker,";
my $action       = 'subst';
my $pattern      = 'hacker';
my $substitution = 'enthusiast';

my %actions = (
  match    => 
    sub { my $rv = $_[0] = ~m/$_[1]/;       return( $rv, [@-], [@+] ) 
+},
  subst    => 
    sub { my $rv = $_[0] =~ s/$_[1]/$_[2]/; return( $rv, [@_], [@+] ) 
+},
);

exists $actions{$action} or die "Invalid action: $action";
my @results = $actions{$action}->($data, $pattern, $substitution);
print $data, "\n";
[download]

With a little thought, and a better understanding of the exact problem you're trying to solve, you could probably come up with even simpler dispatch table callbacks...or could add additional return values as needed. But the point is that here we're avoiding evaluating user-supplied code directly, although we still have the problem of the user possibly supplying a nasty regex.

Dave

Comment on Re: using just variables in a regular exression Select or Download Code

Replies are listed 'Best First'.
Re^2: using just variables in a regular exression by sdetweil (Sexton) on Aug 31, 2012 at 00:38 UTC
Thanks, but Both of u coded the s// directly in perl source code. I only have two variables. One contains the data, the other contains the completely arbitrary expression. It could be a match m// expression, or a substitution s///, or some parsing expression. I have no idea. I do not want parse the expression contents in my own code to get parts to put back into some other instruction format in source code. That was the whole point of supporting regex. This s in a tool used by my product support teams to gather diagnostic data from a users system. Sometimes the product install design team didn't think how hard it might be to find/use the product install path in their saved config data. As an example, they recorded the direct path and name of the main install executable in single quotes, but we actually need the parent folder of the exe, with another subdirectory to get to the log files. 'C:/somedir/part2/part3/foobar.exe' My app lets the script writer parse that out. Path(str)='c:/somedir/part2/part3 Path(str)='c:/somedir/part2 Add /logs/*.log' But the ' kills it all. The s/'/\"/g would solve it. I don't have a built in replace function in my script handler.	[reply]
Re^3: using just variables in a regular exression by davido (Cardinal) on Aug 31, 2012 at 00:52 UTC
Then what you're after, as I mentioned, is the string version of eval: `my $data = 'Just another Perl hacker,'; my $expression = 's/(another)/a/'; my $match_var; my $result = eval <<"END_EVAL"; my \$success = \$data =~ $expression; \$match_var = \$success ? \$1 : undef; \$success; END_EVAL if( $result ) { print "$match_var => $data\n"; }` [download] It would be better if instead of passing "`$match_var` out of the eval's scope you instead passed a reference to a copy of `@-` and `@+`; that way you could look at `scalar @-` to determine how many captures were produced, and then use `substr` on an original copy of the string to determine what those captures actually were. And while you're at it, you might also need to deal with named captures. But this opens your code to some serious problems. Consider the following: `my $data = 'Just another Perl hacker,'; my $expression = 's/(another)/a/; print "Hello world!\n";'; my $match_var; my $result = eval <<"END_EVAL"; my \$success = \$data =~ $expression; \$match_var = \$success ? \$1 : undef; \$success; END_EVAL if( $result ) { print "$match_var => $data\n"; }` [download] Now by supplying a semicolon in the appropriate place within the code string, the user was able to move on, executing arbitrary additional code (in this case, `print "Hello world!\n";`). That's possibly innocuous, but how about '`while ( my( $key, $value ) = each %ENV ) { ... }`', or how about backticks or a system call, or even unlink? Maybe you can trust your users. But I wouldn't even trust myself with code that exposes that sort of security flaw. No.....you're much better off staying away from the temptation to take the easy solution. It might save you an hour of coding now, but imagine how time consuming it will be when a user does something malicious because he felt snubbed by how you failed to notice him in the break room. The safest approach is to find a way to allow users to choose between different operations that you explicitly expose. Much less safe but still better than simple eval would be to use the Safe module's `reval` method. That will protect you against many malicious attacks, but won't protect from denial of service attacks. A user could still tie up a process forever and consume as much memory as you have available. Dave	[reply] [d/l] [select]
Re^4: using just variables in a regular exression by sdetweil (Sexton) on Aug 31, 2012 at 03:31 UTC
thought I had posted.. it was sitting on the ipad.. thanks, you've convinced me.. see the later post with the updated code and one remaining question sam weird.. it was there.. ah fun	[reply]
Re^4: using just variables in a regular exression by sdetweil (Sexton) on Aug 31, 2012 at 02:19 UTC
Ok, you've convinced me. if the expression starts with s or m then parse on the / otherwise its a parser. if s or m, handle as u suggest.. not a lot of code add. thanks Sam	[reply]
Re^5: using just variables in a regular exression by davido (Cardinal) on Aug 31, 2012 at 02:49 UTC