Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re: Perl module search engine

by alexm (Chaplain)
on Jun 15, 2008 at 14:24 UTC ( #692149=note: print w/replies, xml ) Need Help??


in reply to Perl module search engine

Allowing any regular expression is very dangerous, e.g.:
my $re = qr|(?{system 'cat /etc/passwd'})|; "any string" =~ $re;
Update: thanks to moritz for explaining that this example isn't actually a problem. However, checking (and laundering) tainted data is always a good idea, specially when dealing with web apps.

Replies are listed 'Best First'.
Re^2: Perl module search engine
by moritz (Cardinal) on Jun 15, 2008 at 14:50 UTC
    That's not a problem if the regex comes from the outside world:
    $ perl -wle ' "any string" =~ m/$ARGV[0]/' "(?{system 'cat /etc/passwd +'})" Eval-group not allowed at runtime, use re 'eval' in regex m/(?{system +'cat /etc/passwd'})/ at -e line 1.

    The real problem are denial-of-service attacks with endlessly backtracking regexes.

      ...endlessly backtracking regexes.

      Could you please provide an example? I would like to investigate it and see if there's a problem. Thanks.

      I always envisioned HTML::Perlinfo::Modules as something Perl developers might use, not the general public (which is why I wasn't too concerned that the HTML was absolutely perfect). You know, something you could install in your local intranet to see what's on your system.

        Could you please provide an example?
        perl -wle '$_="abc" x $ARGV[0]; m/(((.){1,20}.+){1,34}){2,4}[d]/' 10

        And now tell me how long your perl takes to find out that this regex fails ;-)
        $ARGV[0]time in s
        30.003
        40.016
        50.167
        62.0
        723.8
        8146

        I wasn't patient enough to see how long it takes to match with $ARGV[0] == 9, or in other words against 27 characters of input.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://692149]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (6)
As of 2019-12-13 00:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?