Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?

Re^2: Perl module search engine

by moritz (Cardinal)
on Jun 15, 2008 at 14:50 UTC ( #692151=note: print w/replies, xml ) Need Help??

in reply to Re: Perl module search engine
in thread Perl module search engine

That's not a problem if the regex comes from the outside world:
$ perl -wle ' "any string" =~ m/$ARGV[0]/' "(?{system 'cat /etc/passwd +'})" Eval-group not allowed at runtime, use re 'eval' in regex m/(?{system +'cat /etc/passwd'})/ at -e line 1.

The real problem are denial-of-service attacks with endlessly backtracking regexes.

Replies are listed 'Best First'.
Re^3: Perl module search engine
by jacques (Priest) on Jun 15, 2008 at 21:02 UTC
    ...endlessly backtracking regexes.

    Could you please provide an example? I would like to investigate it and see if there's a problem. Thanks.

    I always envisioned HTML::Perlinfo::Modules as something Perl developers might use, not the general public (which is why I wasn't too concerned that the HTML was absolutely perfect). You know, something you could install in your local intranet to see what's on your system.

      Could you please provide an example?
      perl -wle '$_="abc" x $ARGV[0]; m/(((.){1,20}.+){1,34}){2,4}[d]/' 10

      And now tell me how long your perl takes to find out that this regex fails ;-)
      $ARGV[0]time in s

      I wasn't patient enough to see how long it takes to match with $ARGV[0] == 9, or in other words against 27 characters of input.

        Yes, it's a problem. I just tested your example. I am going to have to figure out a way to sniff it out and upload a new version. Maybe I should just not allow regexps? Thanks for the info.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://692151]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (3)
As of 2020-10-01 03:06 GMT
Find Nodes?
    Voting Booth?
    If at first I donít succeed, I Ö

    Results (173 votes). Check out past polls.