Re: Question on evaluating a user built regex


go ahead... be a heretic
	PerlMonks

Re: Question on evaluating a user built regex

by Sweeper (Pilgrim)

on Apr 23, 2002 at 05:50 UTC ( [id://161217]=note: print w/replies, xml )

Need Help??

in reply to Question on evaulating a user built regex

Security Hazard!

Are you sure you want to evaluate a user regexp? The user can insert a (?{...}) construct to include some Perl executable code, which can in turn include a call to system, or backticks, which can contain very bad things.

And there is more than one way to do nasty things. The user can write a Denial-of-Service regexp, a regexp which backtracks a lot and locks your machine. See Mastering Regular Expressions page 140+ (the book with two owls on the cover)

Update

Yes, Perlplexer, you are right. The security hazards are mostly irrelevant in a Perl/Tk program. Yet, my warning still holds for any monk who would use the answers in this thread for a CGI program (or any client-server app for that matter).

Comment on Re: Question on evaluating a user built regex

Replies are listed 'Best First'.
Re: Re: Question on evaluating a user built regex by perlplexer (Hermit) on Apr 23, 2002 at 13:06 UTC
He is using Tk... If the user of that Tk app so desires, he can surely lock up his own PC... but who cares? ;) --perlplexer	[reply]

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://161217]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others musing on the Monastery: (5)

As of 2024-04-20 13:52 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found