1. Find the end of the quoted construct.
2. Removal of backslashes before delimiters.
3. Interpolation (this is where \L and friends processing happens)
4. Interpolation of regular expressions.
5. Optimization of regular expressions.

So, by the time the regex engine gets the string, any \L it finds it treats is as an escaped L - which will trigger a warning.

Strings gotten from the environment, like program parameters, are never parsed as quoted constructs (unless you 'eval' them).

I'll use \U as an example, because it's slightly less mind-bending to follow what's going on. But the same thing applies to all three directives (and it's really only \Q that I'm really interested in).

Because patterns are processed as double quoted strings, the following also work:

Now all is fine, but the cure is worse than the disease. Any person reading the code will quickly spot that they could have a lot of fun by specifying a pattern such as /.`rm -rf /`./ and then you are in a world of pain.

At this point, the only way out of this conundrum that I can see is to either hand parse the pattern (erk) or use a Safe compartment (re-erk).

Just my two eurocents.

I have no solution to the eval problem, but FWIW, MO=Deparse,-p clarifies the issue:

% perl -MO=Deparse,-p -le '$patt = "a\Ubc"; print qr/$patt/'
BEGIN { $/ = "\n"; $\ = "\n"; }
($patt = 'aBC');
print(qr/$patt/);
-e syntax OK
[download]

% perl -MO=Deparse,-p -le '$patt = "a\Q[bc]\E"; print qr/$patt/'
BEGIN { $/ = "\n"; $\ = "\n"; }
($patt = 'a\\[bc\\]');
print(qr/$patt/);
-e syntax OK
[download]

Note that this behavior occurs only if the RHS of the first assignment is double-quoted; with single-quotes you end up with the same problem as if the pattern had been passed in in @ARGV:

% perl -le '$patt = q(a\Ubc); print qr/$patt/'
(?-xism:a\Ubc)
[download]

use strict;
use warnings;

my $scary_regex = shift;
$scary_regex =~ tr/\cA//d;
# There are now no control-As in the string,
# so I can safely use them as delimiters

my $safe_pat = eval "qq\cA$scary_regex\cA";
my $safe_reg = qr/$safe_pat/;

print "Safe pat is $safe_pat; reg is $safe_reg\n";
[download]

Update: Pustular Postulant pointed out that you could go straight to the regex, rather than having the intermediate $safe_pat string (just use qr instead of qq). When I was putting it together, something told me that wasn't safe, but I think it is.
Also note that \cA on the input works fine, if you actually want control-A in your pattern.

Eval, even just for double-quote(ish) interpolation, is still not safe, because it can interpolate ${BLOCK} type expressions, and BLOCK can contain any arbitrary code. Try calling the above script with ${print "I coulda killed ya"} as an argument.

[I had a recommendation for plugging the hole, but it was wrong!]

I am not aware of any other holes, but that doesn't mean there can't be any.

---

Caution: Contents may have been coded under pressure.

That's a surprising loophole, since perl is aware of the danger of runtime evaluation of a regexp with an eval group:

% perl -e '/$ARGV[0]/' '(?{print "nasty\n"})'
Eval-group not allowed at runtime, use re 'eval' in regex m/(?{print "
+nasty\n"})/ at -e line 1.
% perl -e 'eval qq(/$ARGV[0]/)' '(?{print "nasty\n"})'
nasty
[download]

the lowliest monk

my $foo = shift;
print $foo,"\n";
[download]

[ambs@eremita tmp]$ perl foo.pl 'fo\o'
fo\o
[download]

use strict;
use warnings;

my $pattern = shift;
my $target = 'aBC';
my $regex;
eval "\$regex = qr ($pattern)";
print $regex, "\n";
print $target =~ $regex ? "$pattern Worked!\n" : "$pattern Failed!\n";
[download]

The eval line interpolates the pattern before it is turned into a regex by qr.

Also consider $pattern =~ s/(.*)/qq(qq($1))/ee; as a way of doing the interpolation without using a direct eval. This method can still be poisoned using a carefully crafted regex.

What about a pattern like 'a\Ubc) ; `rm -rf /` ; ('? Eval is always dangerous in untrusted data, as the original post claims.

Now all is fine, but the cure is worse than the disease. Any person reading the code will quickly spot that they could have a lot of fun by specifying a pattern such as /.`rm -rf /`./ and then you are in a world of pain.

First, that presupposes that they have a shell account on the machine. They may not. Second, that would allow them to remove all files that /they/ have access to delete. The OP's program might be (e.g.) a CGI that is not S(U|G)ID but is not run as that user, either.

At this point, the only way out of this conundrum that I can see is to either hand parse the pattern (erk) or use a Safe compartment (re-erk).

    s{\G([^\\]*(?:\\[^Q][^\\]*)*)
        \\Q
        ([^\\]*(?:\\[^E][^\\]*)*) 
        (?:\\E|$)}
     {$1\Q$2}gx;
[download]

[dean:~]$ perl -v

This is perl, v5.8.1-RC3 built for darwin-thread-multi-2level
(with 1 registered patch, see perl -V for more detail)

Copyright 1987-2003, Larry Wall
...

[dean:~]$ cat /tmp/deleteme.pl 
#!/usr/bin/perl
use strict;
use warnings;

my $patt = shift;
$patt = qr/$patt/;
my $target = shift || 'aBC';
print "'$target' =~ $patt\n";
print $target =~ $patt;
print $/;

[dean:~]$ /tmp/deleteme.pl 'a\Ubc'
Unrecognized escape \U passed through in regex; marked by <-- HERE in 
+m/a\U <-- HERE bc/ at /tmp/deleteme.pl line 6.
'aBC' =~ (?-xism:a\Ubc)
[download]

Good Day,
  Dean

Update: If you're only interested in \Q, a more sane hack than eval might be to call quotemeta yourself, something like this, but with quotemeta:

#!/usr/bin/perl
use strict;
use warnings;

no warnings "uninitialized";

my $patt = 'a\Ubc';
$patt =~ s/(^|[^\\])(\\\\)*\\U(.*?)(?:\\E|$)/$1.$2.uc($3)/se;
$patt = qr/$patt/;

my $target = 'aBC';
print "'$target' =~ $patt\n";
print $target =~ $patt;
print $/;
[download]

Update 2: Oops, I missed your "erk" about hand-parsing the pattern. Sorry to suggest it.