Re^3: Vulnerabilities when editing untrusted code... (compiletime injection in regex)


Perl Monk, Perl Meditation
	PerlMonks

Re^3: Vulnerabilities when editing untrusted code... (compiletime injection in regex)

by LanX (Saint)

on Oct 06, 2021 at 15:24 UTC ( [id://11137266]=note: print w/replies, xml )

Need Help??

in reply to Re^2: Vulnerabilities when editing untrusted code... (compiletime injection in regex)
in thread Vulnerabilities when editing untrusted code... (Komodo)

OK the term "eval-group" seems to refer to an optimization which concats 2 strings °

'' =~ ('STRING1'.'STRING2');

but if you don't bother splitting up the BEGIN you can still inject code at compiletime :(

D:\tmp\pm>type unsafe_regex_BEGIN.pl
exit;
'' =~ m/(?{ BEGIN{ die "owned"} })/ ;

D:\tmp\pm>perl -c unsafe_regex_BEGIN.pl
owned at unsafe_regex_BEGIN.pl line 2.
BEGIN failed--compilation aborted at unsafe_regex_BEGIN.pl line 2.

D:\tmp\pm>
[download]

Cheers Rolf
_{(addicted to the Perl Programming Language :)

Wikisyntax for the Monastery}

°) and variable interpolation in general see re#'eval'-mode

Comment on Re^3: Vulnerabilities when editing untrusted code... (compiletime injection in regex) Select or Download Code

In Section Meditations

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://11137266]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others wandering the Monastery: (8)

As of 2024-04-18 06:41 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found