Is it safe to read regular expressions from a file?
Posted
by Zilk
on Stack Overflow
See other posts from Stack Overflow
or by Zilk
Published on 2008-10-28T03:04:07Z
Indexed on
2010/05/12
8:14 UTC
Read the original article
Hit count: 268
Assuming a Perl script that allows users to specify several text filter expressions in a config file, is there a safe way to let them enter regular expressions as well, without the possibility of unintended side effects or code execution? Without actually parsing the regexes and checking them for problematic constructs, that is. There won't be any substitution, only matching.
As an aside, is there a way to test if the specified regex is valid before actually using it? I'd like to issue warnings if something like /foo (bar/
was entered.
Thanks, Z.
EDIT:
Thanks for the very interesting answers. I've since found out that the following dangerous constructs will only be evaluated in regexes if the
use re 'eval'
pragma is used:
(?{code})
(??{code})
${code}
@{code}
The default is no re 'eval'
; so unless I'm missing something, it should be safe to read regular expressions from a file, with the only check being the eval/catch posted by Axeman. At least I haven't been able to hide anything evil in them in my tests.
Thanks again. Z.
© Stack Overflow or respective owner