Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Re^2: Passing a regex from a CGI HTML form (user supplied regex substitution without eval)

by Anonymous Monk
on Aug 31, 2016 at 21:49 UTC ( [id://1170930]=note: print w/replies, xml ) Need Help??


in reply to Re: Passing a regex from a CGI HTML form
in thread Passing a regex from a CGI HTML form

There are safer way to use eval, or even avoid it all together

The Perl Regex Tester

Re^3: My Favourite Regex Tools (Was: Parsing a Variable Format String)

String::Interpolate::RE

It can be as simple as

use String::Interpolate::RE qw( strinterp );
print Substitution(
    "input string",
    "pattern",
    "replacement",
    "flags" );
sub Substitution {
    my( $in, $re, $rep, $flags ) = @_;
    my $global  =  $flags =~ m{g}i;
    my $qrFlags =  join '', $flags =~ m{[msixpodualn]}i;
    $qrFlags = "(?$qrFlags)";
    $re = qr{$qrFlags$re};
    if( $global ){
         $in =~ s{$re}{
           Replace($rep, \%+,{1=>$1,2=>$2,3=>$3});
         }gex;
    } else {
         $in =~ s{$re}{
           my $vars = {
               %+, 1=>$1, 2=>$2, 3=>$3,
           };
           strinterp( $rep, $vars );
         }ex;
    }
}
sub Replace {
    my( $rep, $named, $numed ) = @_;
    my $vars = { %$named, %$numed, 'bananas','bananas' );
    return strinterp( $rep, $vars );
}

[download]
  • Comment on Re^2: Passing a regex from a CGI HTML form (user supplied regex substitution without eval)
  • Download Code

Replies are listed 'Best First'.
Re^3: Passing a regex from a CGI HTML form (user supplied regex substitution without eval)
by trippledubs (Deacon) on Sep 01, 2016 at 01:34 UTC

    Seems like these types of modules try to make an explicitly unsafe course of action less unsafe.

    From String::Interpolate::RE Docs -
    This module interpolates variables into strings using regular expression matching rather than Perl's built-in interpolation mechanism and thus hopefully does not suffer from the security problems inherent in using eval to interpolate into strings of suspect ancestry.

    From String::Interpolate Docs -
    Because the Perl string interpolation engine can call arbitrary Perl code you do not want to want to use it on strings from untrusted sources without some precautions. For this reason String::Interpolate objects can be made to use Safe compartments. This is, of course, only as safe as Safe and you are advised to read "WARNING" section of the Safe documentation.

    Your code did not compile for me, but I guess the point is to try and override the substitution operator with some subset of safer features. I acknowledge that could be successful, but also the op could just use eval in any context where all user input is trusted and be fine. The OP is troubleshooting his gambling code on the clock here so every second counts.

[reply]

      You gotta have a canned solution for ignorant newbees and impatient veterans

      Its not like it takes long to DIY-up a little safety, I typed up the above in preview box, now tested, with own Turpolate 

      use String::Interpolate::RE qw( strinterp );
print Substitution("BellyAche\n", '([a-z])([A-Z])', '$1    $2', '');
print Substitution("BellyAche\n", '([a-z])([A-Z])', '$1    $2', 'g');
sub Substitution {
    my( $in, $re, $rep, $flags ) = @_;
    my $global  =  $flags =~ m{g}i;
    my $qrFlags =  join '', $flags =~ m{([msixpodualn])}i;
    $qrFlags = "(?$qrFlags)";
    $re = qr{$qrFlags$re};
    if( $global ){
         $in =~ s{$re}{
           Replace($rep, \%+,{1=>$1,2=>$2,3=>$3});
         }gex;
    } else {
         $in =~ s{$re}{
           my $vars = {
               %+, 1=>$1, 2=>$2, 3=>$3,
           };
           Turpolate( $rep, $vars );
         }ex;
    }
    return $in;
}
sub Turpolate {
    my( $str, $vars ) = @_;
    $str =~ s{\$(\w+)}{
        exists $vars->{$1}
        ? $vars->{$1}
        : '$'.$1
    }gex;
    return $str;
}
sub Replace {
    my( $rep, $named, $numed ) = @_;
    my $vars = { %$named, %$numed, 'bananas','bananas' };
    return strinterp( $rep, $vars );
}
__END__
Belly    Ache
Belly    Ache

      [download]
[reply]
[d/l]
        print Substitution("canned","working"); #canned
print Substitution("canned","compiles",'$1 $2','g'); #canned
print Substitution("canned","flawed",'$1 $2'); #canned
print Substitution("canned",".*",`ls`); #first directory entry
`touch down`;
print Substitution("canned",".*",`rm down`); #deleted file

        [download]
[reply]
[d/l]
Re^3: Passing a regex from a CGI HTML form (user supplied regex substitution without eval)
by Anonymous Monk on Aug 31, 2016 at 21:51 UTC
    Also good idea to add  no re 'eval'; in that sub
[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://1170930]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others sharing their wisdom with the Monastery: (5)
As of 2024-04-20 00:23 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found