gra_kev has asked for the wisdom of the Perl Monks concerning the following question:
I need to be able to solicit a regex from an untrusted user to match against a set of values. Conveniently ignoring the DoS vector, I do want to avoid the obvious bits such as code execution or leaking internal data via variable interpolation.
use Safe; #my $stranger_danger = '(?{ system("touch /tmp/foobar") })'; my $stranger_danger = '\d'; my @vals = ( 'a', 'b', 'c', '1', '2' ); my $test_env = new Safe; $test_env->permit( 'regcomp' ); my $tester = $test_env->wrap_code_ref( sub { $_ =~ qr/$stranger_danger/ } ); print "Safely matched ", join( ', ', grep { $tester->( $_ ) } @vals ), + "\n";
This appears to do what I want (e.g. '(?{ system("touch /tmp/foobar") })' is rejected by Safe), but is there anything else to consider? Is there a better way to go about this?
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Safe wrapper for user regex?
by ww (Archbishop) on Mar 26, 2013 at 16:08 UTC | |
by Anonymous Monk on Mar 26, 2013 at 16:43 UTC | |
by ww (Archbishop) on Mar 26, 2013 at 17:13 UTC | |
Re: Safe wrapper for user regex?
by Anonymous Monk on Mar 26, 2013 at 15:29 UTC | |
Re: Safe wrapper for user regex?
by sundialsvc4 (Abbot) on Mar 27, 2013 at 15:13 UTC |
Back to
Seekers of Perl Wisdom