zby has asked for the wisdom of the Perl Monks concerning the following question:

In my application I need to let the users enter regular expressions that will be used for some filtering. What expressions should I reject as being dangerous? Is it enough to look for ?{?

Backtracking can be used for a DOS attack - but I think it would be impossible to check that, so I'll have to live with that I guess.

Replies are listed 'Best First'.
Re: untainting regular expressions
by dave_the_m (Monsignor) on May 05, 2004 at 15:20 UTC
    Perl already refuses to execute (?{'s that come from interpolated strings unless use re "eval" is in force. So you should be fairly safe. Of course the DOS can include memory exhaustion too.
[reply]
Re: untainting regular expressions
by kutsu (Priest) on May 05, 2004 at 15:24 UTC

    It's not what should I reject, it's what shouldn't I reject. For example: die "Variable contains dangerous data" if $some_var =~ /[^0-9A-Za-z]/;. As for what should you allow that depends on what your filtering, my example would be pretty safe but would only allow for numbers and characters, you might look at perlre, specifically /Q and /E for how to improve safety.

    "Cogito cogito ergo cogito sum - I think that I think, therefore I think that I am." Ambrose Bierce

[reply]
[d/l]
      I'd like to let people do as much as it is feasible. Numbers and word chars is too little for sure - I mostly write the app for myself (although I'll let others to use it), I really don't like to be too much restricted.
[reply]

Back to Seekers of Perl Wisdom