Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw

Re: Avoid eval() / dynamic regular expressions

by crashtest (Curate)
on Dec 15, 2009 at 01:49 UTC ( #812800=note: print w/replies, xml ) Need Help??

in reply to Avoid eval() / dynamic regular expressions

Just chiming in to quickly point out that eval'ing user-supplied input is, of course, a security risk. Even with regular expressions. Of course, you know your users and the level of trust you place in them. If your users are "the web", however, things could get hairy:

# using the 'eval' feature of a substitution... $regex = "s/foo/system 'rm -rf /'/eg"; # ... or even... $regex = "m/(?{ system 'rm -rf /' })/";

If you're coming from the web, you should be running under taint mode anyway, and Perl will stop you before you hurt yourself.

As far as further optimizations, I think it would really depend on what your requirements are. If users are supposed to be able to supply any Perl regex they'd like, ikegami has given you a nice way to isolate the eval() and run it only once.

Replies are listed 'Best First'.
Re^2: Avoid eval() / dynamic regular expressions
by grasbueschel (Initiate) on Dec 15, 2009 at 08:48 UTC

    Well, the users will run this on their own workstation, so it's their choice which statements they place into the file :)

    But thanks for pointing out!

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://812800]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (2)
As of 2018-04-20 06:02 GMT
Find Nodes?
    Voting Booth?