Re: regexp validation (arbitrary code execution) (regexp injection)
- From: merlyn@xxxxxxxxxxxxxx ((Randal L. Schwartz))
- Date: Thu, 02 Jun 2011 06:36:28 -0700
"Stanisław" == Stanisław Findeisen <stf@xxxxxxxxxxxxx> writes:
Stanisław> But you don't want to let them execute any code.
Unless "use re 'eval'" is in scope, /$a/ is safe even if $a came from an
untrusted source, as long as you limit the run-time to a few seconds or
so with an alarm. (Some regex can take nearly forever to fail.)
See "perldoc perlre" for more details.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@xxxxxxxxxxxxxx> <URL:http://www.stonehenge.com/merlyn/>
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.posterous.com/ for Smalltalk discussion
.
- References:
- regexp validation (arbitrary code execution) (regexp injection)
- From: Stanisław Findeisen
- regexp validation (arbitrary code execution) (regexp injection)
- Prev by Date: Re: regexp validation (arbitrary code execution) (regexp injection)
- Next by Date: Re: regexp validation (arbitrary code execution) (regexp injection)
- Previous by thread: Re: regexp validation (arbitrary code execution) (regexp injection)
- Next by thread: Re: regexp validation (arbitrary code execution) (regexp injection)
- Index(es):
