Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Re^2: Perl module search engine

by moritz (Cardinal)
on Jun 15, 2008 at 14:50 UTC ( [id://692151]=note: print w/replies, xml ) Need Help??


in reply to Re: Perl module search engine
in thread Perl module search engine

That's not a problem if the regex comes from the outside world:
$ perl -wle ' "any string" =~ m/$ARGV[0]/' "(?{system 'cat /etc/passwd +'})" Eval-group not allowed at runtime, use re 'eval' in regex m/(?{system +'cat /etc/passwd'})/ at -e line 1.

The real problem are denial-of-service attacks with endlessly backtracking regexes.

Replies are listed 'Best First'.
Re^3: Perl module search engine
by jacques (Priest) on Jun 15, 2008 at 21:02 UTC
    ...endlessly backtracking regexes.

    Could you please provide an example? I would like to investigate it and see if there's a problem. Thanks.

    I always envisioned HTML::Perlinfo::Modules as something Perl developers might use, not the general public (which is why I wasn't too concerned that the HTML was absolutely perfect). You know, something you could install in your local intranet to see what's on your system.

      Could you please provide an example?
      perl -wle '$_="abc" x $ARGV[0]; m/(((.){1,20}.+){1,34}){2,4}[d]/' 10

      And now tell me how long your perl takes to find out that this regex fails ;-)
      $ARGV[0]time in s
      30.003
      40.016
      50.167
      62.0
      723.8
      8146

      I wasn't patient enough to see how long it takes to match with $ARGV[0] == 9, or in other words against 27 characters of input.

        Yes, it's a problem. I just tested your example. I am going to have to figure out a way to sniff it out and upload a new version. Maybe I should just not allow regexps? Thanks for the info.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://692151]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others cooling their heels in the Monastery: (5)
As of 2024-03-28 10:32 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found