Regex Dangerous??

mt2k has asked for the wisdom of the Perl Monks concerning the following question:

Could the following regular expression prove to be dangerous to the server:

if ($string =~ /$input{'variable'}/gis) {
#Some processing
}
[download]

The $input{'variable'} variable would be a value entered from a textfield from a CGI script.

I don't think entering commands does anything, but I noticed that you can enter special characters, such as charater classes, parentheses, periods, carets, and dollar signs. So is there any danger of files being deleted, or anything else I would want to class as bad?? Or would it just allow some nice restrictions for a search engine??

So if it is dangerous somehow, I should use:

if ($string =~ /\Q$input{'variable'}/) {
#blah blah blah...
}
[download]

right??

Comment on Regex Dangerous?? Select or Download Code

Replies are listed 'Best First'.
Re: Regex Dangerous?? by merlyn (Sage) on Mar 23, 2001 at 04:52 UTC
Amongst other potential dangers, there's a "denial of service" attack trivially possible with a short regex that fails to match, but fails to match in exponentially countable ways. See Jeffrey Friedl's "Mastering Regular Expressions" for a discussion of this. Solution: make sure you have a timeout alarm set. -- Randal L. Schwartz, Perl hacker	[reply]
Re: Regex Dangerous?? by mt2k (Hermit) on Mar 23, 2001 at 04:50 UTC
Though I just found out I'd have to use something like: `$input{'variable'} =~ s/\\/\\\\//gs;` [download] because otherwise you get a server error if you simply type in '\'	[reply] [d/l]
Re: Re: Regex Dangerous?? by merlyn (Sage) on Mar 23, 2001 at 04:55 UTC
Well, you'll get server errors for a lot more than that. Any invalid regex will bollux you. What you need to do is wrap it in an eval block, and capture the $@ variable. Standard exception-handling stuff. -- Randal L. Schwartz, Perl hacker	[reply]


We don't bite newbies here... much
	PerlMonks