Is it safe to read regular expressions from a file?

Posted by Zilk on Stack Overflow See other posts from Stack Overflow or by Zilk
Published on 2008-10-28T03:04:07Z Indexed on 2010/05/12 8:14 UTC
Read the original article Hit count: 268

Filed under:
|
|

Assuming a Perl script that allows users to specify several text filter expressions in a config file, is there a safe way to let them enter regular expressions as well, without the possibility of unintended side effects or code execution? Without actually parsing the regexes and checking them for problematic constructs, that is. There won't be any substitution, only matching.

As an aside, is there a way to test if the specified regex is valid before actually using it? I'd like to issue warnings if something like /foo (bar/ was entered.

Thanks, Z.


EDIT:
Thanks for the very interesting answers. I've since found out that the following dangerous constructs will only be evaluated in regexes if the use re 'eval' pragma is used:

(?{code})
(??{code})
${code}
@{code}

The default is no re 'eval'; so unless I'm missing something, it should be safe to read regular expressions from a file, with the only check being the eval/catch posted by Axeman. At least I haven't been able to hide anything evil in them in my tests.

Thanks again. Z.

© Stack Overflow or respective owner

Related posts about perl

Related posts about regex