Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

Re: Untaint a string match, regular expression.

by cheako (Beadle)
on May 18, 2015 at 03:33 UTC ( [id://1126941]=note: print w/replies, xml ) Need Help??


in reply to Untaint a string match, regular expression.

To sum up the best advice I've seen.

  1. Suggest to add no re 'eval'; to ensure it's off
  2. Use a sub-process(fork) with to BSD::Resource(even on Linux) to ulimit memory and kill the child after some timeout
Perhaps #2 is overkill, there may be a simpler method, like additional flags to #1. Suggest to add a maxiterations to limit the number of times re is allowed to loop and maxmem.

References:

  1. Re^4: Untaint a string match, regular expression.
  2. Re^7: Untaint a string match, regular expression.

Replies are listed 'Best First'.
Re^2: Untaint a string match, regular expression.
by hdb (Monsignor) on May 18, 2015 at 07:53 UTC

    Depending on your application, I would really only let the user input wildcards like "*" and "?" (DOS style), not regular expressions. Alternatively, if the data to be matched comes from a database SQL style wildcards could be an alternative. Everything else will be escaped.

    This is easy to implement and will not create trouble with security or memory. It will also go a long way, probably for most applications.

    If you look at PM's Super Search, it works without any regular expressions but is still quite powerful.

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://1126941]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (9)
As of 2024-04-24 07:16 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found