Re^2: Perl module search engine

That's not a problem if the regex comes from the outside world:

$ perl -wle ' "any string" =~ m/$ARGV[0]/' "(?{system 'cat /etc/passwd
+'})"
Eval-group not allowed at runtime, use re 'eval' in regex m/(?{system 
+'cat /etc/passwd'})/ at -e line 1.
[download]

The real problem are denial-of-service attacks with endlessly backtracking regexes.

Comment on Re^2: Perl module search engine Download Code

Replies are listed 'Best First'.

Re^3: Perl module search engine
by jacques (Priest) on Jun 15, 2008 at 21:02 UTC

...endlessly backtracking regexes.

Could you please provide an example? I would like to investigate it and see if there's a problem. Thanks.

I always envisioned HTML::Perlinfo::Modules as something Perl developers might use, not the general public (which is why I wasn't too concerned that the HTML was absolutely perfect). You know, something you could install in your local intranet to see what's on your system.

[reply]

Re^4: Perl module search engine

by moritz (Cardinal) on Jun 15, 2008 at 21:48 UTC

Could you please provide an example?

perl -wle '$_="abc" x $ARGV[0]; m/(((.){1,20}.+){1,34}){2,4}[d]/' 10
[download]

And now tell me how long your perl takes to find out that this regex fails ;-)

$ARGV[0] time in s

3 0.003

4 0.016

5 0.167

6 2.0

7 23.8

8 146

I wasn't patient enough to see how long it takes to match with $ARGV[0] == 9, or in other words against 27 characters of input.

[reply]
[d/l]
[select]

Re^5: Perl module search engine

by jacques (Priest) on Jun 15, 2008 at 22:17 UTC

Yes, it's a problem. I just tested your example. I am going to have to figure out a way to sniff it out and upload a new version. Maybe I should just not allow regexps? Thanks for the info.

[reply]


Clear questions and runnable code get the best and fastest answer
	PerlMonks