Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re: Avoid eval() / dynamic regular expressions

by crashtest (Curate)
on Dec 15, 2009 at 01:49 UTC ( #812800=note: print w/ replies, xml ) Need Help??


in reply to Avoid eval() / dynamic regular expressions

Just chiming in to quickly point out that eval'ing user-supplied input is, of course, a security risk. Even with regular expressions. Of course, you know your users and the level of trust you place in them. If your users are "the web", however, things could get hairy:

# using the 'eval' feature of a substitution... $regex = "s/foo/system 'rm -rf /'/eg"; # ... or even... $regex = "m/(?{ system 'rm -rf /' })/";

If you're coming from the web, you should be running under taint mode anyway, and Perl will stop you before you hurt yourself.

As far as further optimizations, I think it would really depend on what your requirements are. If users are supposed to be able to supply any Perl regex they'd like, ikegami has given you a nice way to isolate the eval() and run it only once.


Comment on Re: Avoid eval() / dynamic regular expressions
Select or Download Code
Re^2: Avoid eval() / dynamic regular expressions
by grasbueschel (Initiate) on Dec 15, 2009 at 08:48 UTC

    Well, the users will run this on their own workstation, so it's their choice which statements they place into the file :)

    But thanks for pointing out!

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://812800]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (15)
As of 2014-08-20 14:10 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (115 votes), past polls